Configuring Routing Between 2 custom VSYS

2010-06-28T11:48:00.001+01:00

As I really had some difficulty to implement routing between two custom VSYS and didn't found any valuable help on the net, I decided to put here a configuration example for those who may need it. This doesn't mean it's the only or the best way to do it but it does the job. Any comments would be welcome.

So, we have two subnets, each of them having a custom VSYS on a NS5200 firewall as a gateway. We want to allow any traffic to flow from subnet A (192.168.0.0/24) to subnet B (192.168.1.0/24) and vice-versa.

Here are the basic steps:

Root VSYS configuration : As trafic leaving a a VSYS is considered to have the shared root "Untrust" zone as destination, we have to put this zone in the untrust-vr for the routing to take place. The tricky part of the configuration is a shared interface must exist in the "Untrust" zone to loop the traffic for intervsys communication. You can create a loopback interface without assigning it an IP, in which you should disable NAT on the incoming interface.
Configuring routing in custom VSYSs : After configuring interfaces, the next step is to configure routes. Each VSYS should route trafic destined to the other subnet through the shared root virtual router untrust-vr. The untrust-vr should have the correct routes added.
Configuring policies in custom VSYS : Last thing to do is to configure policies on each VSYS to allow incoming and outgoing traffic to and from "Untrust" zone.

The detailed configuration commands are listed below:
##Root VSYS
set zone "Untrust" vrouter "untrust-vr"
set interface "loopback.1" zone "Untrust"
##VSYS-A
Set vsys VSYS-A
Set zone name zone-A
Set interface ethernet2/1.100 tag 100 zone zone-A
Set interface ethernet2/1.100 ip 192.168.0.1/24
Set interface ethernet2/1.100 route
set vrouter "VSYS-A-vr" route 192.168.1.0/24 vrouter untrust-vr
set vrouter "untrust-vr" route 192.168.0.0/24 vrouter VSYS-A-vr
set policy from zone-A to Untrust any any any permit log
set policy from Untrust to zone-A any any any permit log
##VSYS-B
Set vsys VSYS-B
Set zone name zone-B
Set interface ethernet2/2.101 tag 101 zone zone-B
Set interface ethernet2/2.101 ip 192.168.1.1/24
Set interface ethernet2/2.101 route
set vrouter "VSYS-B-vr" route 192.168.0.0/24 vrouter untrust-vr
set vrouter "untrust-vr" route 192.168.1.0/24 vrouter VSYS-B-vr
set policy from zone-B to Untrust any any any permit log
set policy from Untrust to zone-B any any any permit log

Some topics to know in broadband networks

2010-06-09T01:35:00.000+01:00

PPPoE initiation process
PPP, NCP and LCP
Wholesale model

Port mapping/forwarding avec screenos

2010-03-01T01:48:00.000+01:00

Problème :
J'ai plusieurs serveurs dans mon LAN d'entreprise que je voudrais rendre accessible à partir d'Internet en utilisant une connexion ADSL et un firewall Juniper Networks SSG20. Je dispose d'une seule adresse IP publique attribuée à l'interface ADSL de mon firewall.

La solution est évidemment de configurer le NPAT afin de translater le couple IP publique/port vers IP privée/port. Le souci est que screenos propose plusieurs manières d'implémenter le NAT des adresses destination, à savoir les policies, les MIP et les VIP; laquelle de ces méthodes choisir ?
Dans ce cas de figure, étant donné que l'adresse publique des serveurs est l'adresse ip de l'interface, la seule solution possible est la création d'une VIP (Virtual IP).
La procédure de configuration est expliquée sur le site de Juniper Networks à cette adresse : http://kb.juniper.net/KB12608

IT Bowl

Configuring Routing Between 2 custom VSYS

Some topics to know in broadband networks

Port mapping/forwarding avec screenos