Netscreen 25 DMZ zone

[bdoub1eu]

I am new to the netscreen devices, so forgive me if this is a simple problem to solve.

We have a netscreen 25 and I'm trying to configure the DMZ zone. The trusted and untrusted are already configured, but we had the DMZ open. We are using the 10.3.x.x subnet and the trusted is 10.3.110.x. I want to make the DMZ probably 10.3.111.x. My question is how do I setup the netscreen? I assume I will have to:

1. Create the DMZ zone
2. Create policies from the untrust to the DMZ
3. Create plicies from the DMZ to trust
4. On other netscreen with policies already configured to the trusted side, create policies from those netscreens to the DMZ

Is this right? I know it sounds kinda easy, but again, I'm new to this and wanted a little direction...If I have an idea of what to do, I think I can figure it out...Thanks for all your help!!!

 

[Packet7]

Hey,

I configured our NS 25 with a DMZ subnet that has a public IP range. This provides us with some flexibility, but not required. What is the subnet your using on the Trust zone? You want to make sure that you assign another subnet for the DMZ.

Let me know.

Rgds,

John Judge

 

[bdoub1eu]

The trusted side is using 10.3.110.x/24 and the untrusted side is public...

We wanted something that wasn't on our network, but wasn't public either...Thought the DMZ would be good...We're planning on putting an antivirus/spam server for email in the DMZ...That way we can set policies on traffic between the gateway and our exchange server to keep viruses out since it is the first line of defense "so to speak."

 

[Packet7]

Hey,

I would go with 10.10.110.x/26. This gives you 62 hosts for your DMZ in the range 10.10.110.1-62. Do you have access to the WEBUI? If not, you can connect to the Netscreen and build the DMZ and policies that way. Let me know and I can give you a hand with the config. We use a Netscreen Global Pro to push down the configs, but I have access to several NS's to test via WEBUI or CLI for you.


Rgds,

John Judge

 

[bdoub1eu]

John, thanks for the response! It' hard to get Netscreen support these days...Here's what I've done:

We have two sites...Let's say site 1 and site 2 that already are connected using VPN. So the policies are already in place. I'm just tring to create the DMZ network on Site 1 to bring into the picture.

Site 1 has a Netscreen 25 with the open DMZ port that I'm referring to. The trusted was 10.3.110.1 and the management IP as 10.3.110.2. I created the DMZ Interface to be 10.3.111.1 and the management IP to be 10.3.111.2. I also created the object list for the DMZ network.

Site 2 has a Netscreen 5xt and only has a trust and untrust interface.

At site 1 (Netscreen 25), I created a policy from the trust to DMZ and DMZ to trust. Since I'm going out to the internet over the trusted port, I have to create a policy for traffic to pass from the untruted to the trusted to the DMZ and vice versa.

I want the DMZ to connect to site 2, so I created the policy for DMZ to untrust and untrust to DMZ on the Netscreen 25 (site 1) using the same p1 and p2 that already connected these sites.

At site 2 (Netscreen 5xt) I create the DMZ object list of 10.3.111.x and create a policy for trust to untrust for the DMZ object list of site 1, again, using the same p1 and p2 that the sites were using to connect.

So I think that will work...I have yet to test it...I don't think I can until I acutally plug something into the DMZ port to make it active...

My only question is about routing...Since site 2 will connect to site 1 (DMZ) using the untrusted, through the trusted to the DMZ, I'm not sure about the routing and how traffic will know how to get to the DMZ network over the trusted...

I know this is a bit confusing...Thanks for taking the time to look into this with me!

 

[Packet7]

Hey,

That looks good. Make sure of the following:

- Ethernet2 on the NS 25 (DMZ) is set to the trust-vr VR
- Your untrust-vr (ethernet) should have two (2) routes:
+ 0.0.0.0/0 Next Hop = Internet Gateway
+ 10.3.111.0/24 Next Hop = trust-vr
Note: One other "Connected" (C) will already exist (Ethernet 3 Int)
- Your DMZ subnet is defined as a "trusted resource" allowing the NS5 to route via the VPN
- Bi-directional policies

Do you have a VPN between the two?

Let me know.




Rgds,

John

 

[bdoub1eu]

John, thanks for the info!

Yes, right now, the VPN is already setup from site 1 (trust) to site 2 (trust). Now I'm just trying to configure the DMZ in site 1 to allow connectivity from site 2.

 

[Packet7]

Hey,

Sounds good. The route should utilize the default route and the policy and VPN will encrypt the traffic and route to the DMZ at your other site.

Let me know if you run into any trouble.



Rgds,

John

 

[bdoub1eu]

Thanks for the info John! I really appreciate it! You sound like you know quite a bit about these devices...If you get a second, I'm having some trouble with a 5xp in another thread on this netscreen forum. It's called "transparent mode."

I'm trying to setup the 5xp to simply prompt for a username and password before it lets traffic pass. I wanted to put one in between a dial up device and our switch. This way, when someone dials in, they get prompted for a user name and password before they get on our network...I know it sounds crazy, but I didn't put it together in the first place. I inherited it...

 

[Packet7]

No problem. I like helping. I only work with NS 25's, but the OS is really the same. Just some features are either added or left out.

What is the dialup device in use? RAS, Shiva, Router? Or do you have a modem connected to the Firewall?

Let me know.

Rgds,

John

 

[bdoub1eu]

John, thanks for responding so quickly...

I pretty much have it working...The dialup device is called an Ascend. It has 10 open ports and the voice T1 connectes directly to the Ascend device and the Ascend therefore connects directly to our internal swithc (It basically is a straight connection into our network because it bypasses our Netscreen 25.

I figured we could put a 5xp and make some sort of policy to prompt the user that is dialing in for a password to get through the firewall and into the switch. I think I actually have it working...Unfortunately, the only authentication methods are telnet, HTTP and FTP. So basically users have to 1. Dial in to the Ascend device 2. Open up a web browser (HTTP) that poins them to something on the trusted side (They get prompted for a user name and password) and once they authenticate through the 5xp, they can connect through their email and so forth. Are those three protocols the only ones that can be used for authentication? It would be nice if the user dialed in and automatically got prompted for a username and password without having to pass one of those protocols over the netscreen. Any ideas? It's not the ideal situation, but it's better than having an open connection to our network..

 

[Packet7]

Hello,
We use the Netscreen VPN client and external iNotes Access (like Exchange Web Access). The VPN client allows for full access to LAN resources over the internet, and the external iNotes access allows users to connect via to web based email from any Internet connected machine. We added "XAuth" to both solutions via RSA (SecureID), that forces users to Authenticate to the Network via an RSA Passcode (4 digit PIN + 6 digit constantly changing code on a token). This is a secure method, but there are alternatives.

Why do you need dialup? Could you just allow your users to come in via a web browser or VPN client?

Let me know.

Rgds,

John

 

[bdoub1eu]

John, well we do have the netscreen remote client but I haven't been able to spend alot of time on it...The majority of our users just dial in from a hotel and access their email and that's it! We actually want both...The netscreen client for hotels that have Broadband connections and a method of dialup for those that can only use an phone line.

I don't think there's anyway around the dial up issue. If the 5xp only uses those protocols to authenticate, then users will have to dial in and then open up a web prompt of something on the trusted side to be prompted for a user name and password. Speaking of the remote client, hows that working for you? What kind of authentication are you using? I was trying to use the preshared key and I can't get that to work either! These netscreens just don't like me, I think Didn't mean to jump from one subject to the next, but since you know alot about these things....

 

[bdoub1eu]

John, couple of questions on the Netscreen 25 DMZ...

Ethernet2 on the NS 25 (DMZ) is set to the trust-vr VR? Do you mean in the object list for the DMZ zone to change that from DMZ to trust?

- Your untrust-vr (ethernet) should have two (2) routes:
+ 0.0.0.0/0 Next Hop = Internet Gateway
+ 10.3.111.0/24 Next Hop = trust-vr
The 0.0.0.0/0 Next Hop = Internet Gateway was already there...I added the 10.3.111.0/24 route.

Your DMZ subnet is defined as a "trusted resource" allowing the NS5 to route via the VPN???? What does this mean and where do I apply this? I already setup a bi-directional policy between trust and DMZ. Is that what you meant?

Thanks again John!

 

[Packet7]

Hey,

You can leave Ethernet2 in the DMZ Zone. I was referring to the routing (VR). I apologize if my "Global Pro" terminology crosses over to our discussion. If you have the GW defined under VPN and the policy is configured correctly, it should work. Does it?

Regarding NS Remote, it works well for us, but was buggy getting started. Our users were used to the FW-1 client, but when we migrated over from FW-1, we had to install new VPN clients. We authenticate using "XAuth" with an RSA server. You could use a user group and create your users with passwords locally, then configure the VPN tunnel and policy with that group.

Hope this helps.

Rgds,

John

 

[bdoub1eu]

John, got another question for you...We are adding a server for web monitoring...Basically a proxy server, but we have 5 sites, all using Netscreen 25's or 5xt's. The Proxy server will be at one of these sites, but how do we lock down the other sites to forward all internet surfing to go through the proxy server? And we basically want to make it impossible for users to go surf the internet withough actually going throught the proxy first...Any ideas about the policies that will allow this? As always, thanks for your help!

 

[Packet7]

Hey,

Where are you pysically placing the Proxy? Inside, outside, DMZ? Do all the sites have a VPN connection into the Proxy site?

I guess you could keep the Proxy on the inside of your Network, point the Proxy clients to the internal address of the Proxy machine, verify that the VPN is working, deny PCs WEB to the untrusted side at non-proxy sites, and test the web pass through via the proxy log.

Never have done this before, but that is what I would try. What do you think?

Rgds,

John

 

[bdoub1eu]

John, this server is actually inside our network on the trusted port of the netscreen that I was adding the DMZ network. Yes, all other sites already have VPN to this server on the trusted side. So, yes, I can point all the client machines to that proxy, but users can easily go in and change their proxy settings so instead of going through the proxy, they can just bypass it and go straight out to the internet.

 

[Packet7]

Ah, I see. I guess you could then permit 80 to the Proxy machine only. That way if they remove the proxy settings, they will lose the internet connection.

Rgds,

John

 

[bdoub1eu]

Dude! You're the man! I'm gonna hire you as a consultant!

What would I have to do to make that change? Modify the ANY ANY policy that allows them to surf?