Allowing connections initiated from outside
- by Mark S. Rasmussen
I've got an old Juniper SSG5 running ScreenOS 5.4.0r6.0. Once a day, more or less, it'll start randomly dropping packets at a rate of ~5-10%. We currently solve this issue by simply rebooting the unit, after which it resumes working in perfect condition.
As this error has started appearing randomly, without any configuration or hardware changes, I'm assuming I've got an aging unit about to fail. As such, I've got a replacement SSG5 running ScreenOS 6.0. I've dumped the config on the 5.4 and imported it into a clean 6.0, and it seems to gladly accept it, and all my configuration seems to be A-OK.
However, upon connecting the new unit, all outside-initiated connections seem to be blocked. If I browse our external IP from the inside, everything works perfectly, and it's not just port 80, SSH, Crashplan - all of our policies route correctly. All normal networking, initiated from the inside, work perfectly as well. If on the other hand I browse our external IP from the outside, everything is blocked. Barring differences between ScreenOS 5.4 and 6.0, the config is identical.
Is there a setting somewhere that defines whether outside/inside initiated connections are allowed?
unset key protection enable
set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "MyVOIP_UDP4569" protocol udp src-port 0-65535 dst-port 4569-4569
set service "MyVOIP_TCP22" protocol tcp src-port 0-65535 dst-port 22-22
set service "MyRDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "MyRsync" protocol tcp src-port 0-65535 dst-port 873-873
set service "NZ_FTP" protocol tcp src-port 0-65535 dst-port 40000-41000
set service "NZ_FTP" + tcp src-port 0-65535 dst-port 21-21
set service "PPTP-VPN" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-VPN" + tcp src-port 1024-65535 dst-port 1723-1723
set service "NZ_FMS_1935" protocol tcp src-port 0-65535 dst-port 1935-1935
set service "NZ_FMS_1935" + udp src-port 0-65535 dst-port 1935-1935
set service "NZ_FMS_8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "CrashPlan Server" protocol tcp src-port 0-65535 dst-port 4280-4280
set service "CrashPlan Console" protocol tcp src-port 0-65535 dst-port 4282-4282
unset alg sip enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "XXX"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 100mb
set interface ethernet0/3 phy full 100mb
set interface ethernet0/4 phy full 100mb
set interface ethernet0/5 phy full 100mb
set interface ethernet0/6 phy full 100mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Trust"
set interface "bgroup2" zone "Trust"
set interface bgroup2 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup1 port ethernet0/5
set interface bgroup1 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 215.173.182.18/29
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface bgroup1 ip 192.168.2.1/24
set interface bgroup1 nat
set interface bgroup2 ip 192.168.3.1/24
set interface bgroup2 nat
set interface ethernet0/0 gateway 215.173.182.17
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup1 ip manageable
set interface bgroup2 ip manageable
set interface bgroup0 manage mtrace
unset interface bgroup1 manage ssh
unset interface bgroup1 manage telnet
unset interface bgroup1 manage snmp
unset interface bgroup1 manage ssl
unset interface bgroup1 manage web
unset interface bgroup2 manage ssh
unset interface bgroup2 manage telnet
unset interface bgroup2 manage snmp
unset interface bgroup2 manage ssl
unset interface bgroup2 manage web
set interface ethernet0/0 vip 215.173.182.19 2048 "PPTP-VPN" 192.168.1.131
set interface ethernet0/0 vip 215.173.182.19 + 4280 "CrashPlan Server" 192.168.1.131
set interface ethernet0/0 vip 215.173.182.19 + 4282 "CrashPlan Console" 192.168.1.131
set interface ethernet0/0 vip 215.173.182.22 22 "MyVOIP_TCP22" 192.168.2.127
set interface ethernet0/0 vip 215.173.182.22 + 4569 "MyVOIP_UDP4569" 192.168.2.127
set interface ethernet0/0 vip 215.173.182.22 + 3389 "MyRDP" 192.168.2.202
set interface ethernet0/0 vip 215.173.182.22 + 873 "MyRsync" 192.168.2.201
set interface ethernet0/0 vip 215.173.182.22 + 80 "HTTP" 192.168.2.202
set interface ethernet0/0 vip 215.173.182.22 + 2048 "PPTP-VPN" 192.168.2.201
set interface ethernet0/0 vip 215.173.182.22 + 8080 "NZ_FMS_8080" 192.168.2.216
set interface ethernet0/0 vip 215.173.182.22 + 1935 "NZ_FMS_1935" 192.168.2.216
set interface bgroup0 dhcp server service
set interface bgroup1 dhcp server service
set interface bgroup2 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup1 dhcp server auto
set interface bgroup2 dhcp server auto
set interface bgroup0 dhcp server option domainname companyalan
set interface bgroup0 dhcp server option dns1 192.168.1.131
set interface bgroup1 dhcp server option domainname companyblan
set interface bgroup1 dhcp server option dns1 192.168.2.202
set interface bgroup2 dhcp server option dns1 8.8.8.8
set interface bgroup2 dhcp server option wins1 8.8.4.4
set interface bgroup0 dhcp server ip 192.168.1.2 to 192.168.1.116
set interface bgroup1 dhcp server ip 192.168.2.2 to 192.168.2.116
set interface bgroup2 dhcp server ip 192.168.3.2 to 192.168.3.126
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup1 dhcp server config next-server-ip
unset interface bgroup2 dhcp server config next-server-ip
set interface "ethernet0/0" mip 215.173.182.21 host 192.168.2.202 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn name "[email protected]"
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Trust" "192.168.2.0/24" 192.168.2.0 255.255.255.0
set address "Trust" "192.168.3.0/24" 192.168.3.0 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default ppp-auth chap
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust" "Any" "VIP(215.173.182.19)" "PPTP-VPN" permit traffic
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust" "Any" "VIP(215.173.182.22)" "HTTP" permit log
set policy id 3
set service "MyRDP"
set service "MyRsync"
set service "MyVOIP_TCP22"
set service "MyVOIP_UDP4569"
exit
set policy id 6 from "Trust" to "Trust" "192.168.1.0/24" "192.168.2.0/24" "ANY" deny
set policy id 6
exit
set policy id 7 from "Trust" to "Trust" "192.168.2.0/24" "192.168.1.0/24" "ANY" deny
set policy id 7
exit
set policy id 8 from "Trust" to "Trust" "192.168.3.0/24" "192.168.1.0/24" "ANY" deny
set policy id 8
exit
set policy id 9 from "Trust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" deny
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust" "Any" "MIP(215.173.182.21)" "NZ_FTP" permit
set policy id 10
exit
set policy id 11 from "Untrust" to "Trust" "Any" "VIP(215.173.182.22)" "PPTP-VPN" permit
set policy id 11
exit
set policy id 12 from "Untrust" to "Trust" "Any" "VIP(215.173.182.22)" "NZ_FMS_1935" permit
set policy id 12
set service "NZ_FMS_8080"
exit
set policy id 13 from "Untrust" to "Trust" "Any" "VIP(215.173.182.19)" "CrashPlan Console" permit
set policy id 13
set service "CrashPlan Server"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
Note that I've previously posted a similar question (pertaining to the same device & replacement, but ultimately caused by a malfunctioning switch, and thus clouding the current issue):
Outbound traffic being blocked for MIP/VIPped servers (Juniper SSG5)
