About
Name : Rajesh T Sivanandan
Profession : Engineering Manager (Networking Industry) – for a jazzy professional title.
10+ years of Experience in Networking/Security Domain.
A Passionate Network/Security Engineer – by heart 
Cheers,
Rajesh T Sivanandan
Experts-Exchange Profile :: { Here }
Thanks for dropping by and I appreciate any comments you might have, may it be negative or positive (Either way it is only a perception)
Disclaimer: This is a personal weblog. I’m by no means a lawyer and none of my posts intent to hurt anybody’s feelings in any way!
The opinions expressed here represent my own and not those of my employer or any vendors I’ve written about. Any posts with suggestions/solutions try it at your own risk and I’m in no way be held responsible for any damages it might cause in your setup, though I test it out in my environment before I post them.
Rajeshji very good site for the networkin guys..keep up the good work.
Rajeshji very good site for the networking guys..keep up the good work.
Thnx Shibu…
Cheers,
Rajesh
great site mate
Very nice page. Keep up the nice work.
Excellent job Rajeshji ..
I may need your help to work remotely on my area lf U do not mind pls? Of course U wil get money for any help.
Cheers,
rsivannadan
Dear Rajesh,
very great effort for making it so simple….nice work ….
i need some help in Juniper NS 5GT DSL Firewall Configuration for opening up inbound traffic and make VPN connection via ISA Server 2004. can you help me in this regard??
Take care,
Faizan
Should not be a problem.
Just do the MIP for the ISA server and allow all the ports required to this IP so that the connection gets through.
Cheers,
rsivanandan
@rsivanandan
i have opened the desired 3389 port on ISA as well as on Juniper NS5GT but unable to connect.
Thanks,
Faizan
@Faizan
I’d need to see the config.
Mention the IP of interest as well.
Cheers,
rsivanandan
dear,
I’ve prepared one service named ‘VPN’ for remote access to our network by opening 3389 port. kindly check & update me accordingly.
set clock dst-off
set clock timezone 5
set vrouter trust-vr sharable
set vrouter “untrust-vr”
exit
set vrouter “trust-vr”
unset auto-route-export
exit
set service “YahooCAM” protocol tcp src-port 0-65535 dst-port 5100-5100
set service “EZ1″ protocol tcp src-port 0-65535 dst-port 5001-5003
set service “EZ1″ + tcp src-port 0-65535 dst-port 5050-5050
set service “KASB1″ protocol tcp src-port 0-65535 dst-port 6789-6800
set service “KASB1″ + tcp src-port 0-65535 dst-port 8998-8998
set service “ONSPEED” protocol tcp src-port 0-65535 dst-port 7000-7000
set service “ONSPEED” + tcp src-port 0-65535 dst-port 5404-5405
set service “SATURN” protocol tcp src-port 0-65535 dst-port 8000-8000
set service “SATURN” + tcp src-port 0-65535 dst-port 8001-8001
set service “SATURN” + tcp src-port 0-65535 dst-port 8002-8002
set service “SATURN” + tcp src-port 0-65535 dst-port 8003-8003
set service “SATURN” + tcp src-port 0-65535 dst-port 8004-8004
set service “BloomBerg” protocol tcp src-port 0-65535 dst-port 5001-5003
set service “BloomBerg” + tcp src-port 0-65535 dst-port 5050-5050
set service “BloomBerg” + tcp src-port 0-65535 dst-port 6666-6666
set service “BloomBerg” + tcp src-port 0-65535 dst-port 8194-8294
set service “BloomBerg” + udp src-port 0-65535 dst-port 48129-48137
set service “PTA” protocol tcp src-port 0-65535 dst-port 8080-8080
set service “SC” protocol tcp src-port 0-65535 dst-port 1521-1521
set service “SC” + tcp src-port 0-65535 dst-port 8090-8093
set service “SC” + tcp src-port 0-65535 dst-port 3055-3055
set service “IMS” protocol tcp src-port 0-65535 dst-port 5000-5005
set service “IMS” + tcp src-port 0-65535 dst-port 5050-5050
set service “VPN” protocol tcp src-port 1-65535 dst-port 3389-3389
set service “PCM” protocol tcp src-port 7070-7074 dst-port 7070-7074
set auth-server “Local” id 0
set auth-server “Local” server-name “Local”
set auth default auth server “Local”
set auth radius accounting port 1646
set admin name “*****”
set admin password “nOGJJIrYMaMIc65KTsKOmzGtUDNzOn”
set admin http redirect
set admin auth timeout 0
set admin auth server “Local”
set admin format dos
set zone “Trust” vrouter “trust-vr”
set zone “Untrust” vrouter “trust-vr”
set zone “VLAN” vrouter “trust-vr”
set zone “Untrust-Tun” vrouter “trust-vr”
set zone “Trust” tcp-rst
set zone “Untrust” block
unset zone “Untrust” tcp-rst
set zone “MGT” block
set zone “VLAN” block
unset zone “VLAN” tcp-rst
set zone “Untrust” screen tear-drop
set zone “Untrust” screen syn-flood
set zone “Untrust” screen ping-death
set zone “Untrust” screen ip-filter-src
set zone “Untrust” screen land
set zone “V1-Untrust” screen tear-drop
set zone “V1-Untrust” screen syn-flood
set zone “V1-Untrust” screen ping-death
set zone “V1-Untrust” screen ip-filter-src
set zone “V1-Untrust” screen land
set interface “trust” zone “Trust”
set interface “untrust” zone “Untrust”
set interface “adsl1″ pvc 8 35 mux llc protocol bridged zone “Null”
unset interface vlan1 ip
set interface trust ip ******/29
set interface trust route
set interface untrust ip ******/32
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway ******
set interface trust dhcp server option netmask 255.255.255.0
set interface “trust” webauth ssl-only
set interface “trust” webauth-ip ******
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns5gt-adsl
set pki authority default scep mode “auto”
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set attack db mode Update
set attack db schedule daily 00:00
set av all fail-mode traffic permit
set av http keep-alive
set av http trickling default
unset av http webmail enable
set av profile “scan-mgr”
unset ftp enable
set ftp scan-mode scan-all
set ftp decompress-layer 2
unset http enable
set http scan-mode scan-all
unset imap enable
set imap scan-mode scan-all
set imap decompress-layer 2
set pop3 scan-mode scan-all
set pop3 decompress-layer 2
unset smtp enable
set smtp scan-mode scan-all
set smtp decompress-layer 2
exit
unset av scan-mgr max-content-size drop
unset av scan-mgr max-msgs drop
set url protocol sc-cpa
exit
set anti-spam profile ns-profile
set whitelist 202.101.171.50;
set blacklist @cdwdrives.com;@dbaza.com;@etiquettes-martin.com;@euregio.net;@evesham.com;@executiveauto.com;@invitel.hu;@jeol.de;@marcusevanskl.com;@my-desk.com;@net.br;@regula.by;@rima-tde.net;@rr.com;@stingrayinternet.com;@verizon.net;
set sbl default-server enable
set default action tag subject “***SPAM*** ”
exit
set policy id 1 name “inbound” from “Trust” to “Untrust” “Any” “Any” “ANY” permit log
set policy id 1 disable
set policy id 1 av “scan-mgr”
set policy id 1 anti-spam ns-profile
set policy id 1
set log session-init
exit
set policy id 2 name “mail” from “Untrust” to “Trust” “Any” “Any” “HTTP” permit log
set policy id 2
set service “IMAP”
set service “MAIL”
set service “ONSPEED”
set service “PCM”
set service “POP3″
set service “SATURN”
set service “SMTP”
set service “VPN”
set service “MS-EXCHANGE”
set log session-init
exit
set policy id 3 name “AllAccess” from “Trust” to “Untrust” “Any” “Any” “BloomBerg” permit log
set policy id 3 anti-spam ns-profile
set policy id 3
set service “DNS”
set service “EZ1″
set service “FTP”
set service “HTTP”
set service “HTTPS”
set service “ICMP-ANY”
set service “IMAP”
set service “IMS”
set service “KASB1″
set service “MAIL”
set service “MS-SQL”
set service “MSN”
set service “ONSPEED”
set service “PCM”
set service “POP3″
set service “PTA”
set service “SATURN”
set service “SC”
set service “SMTP”
set service “TELNET”
set service “VNC”
set service “VPN”
set service “YMSG”
set service “MS-EXCHANGE”
set log session-init
exit
set policy id 4 from “Untrust” to “Trust” “Any” “Any” “ANY” permit
set policy id 4 disable
set policy id 4
exit
set pppoe name “*****”
unset pppoe name “*****” auth CHAP
set pppoe name “*****” username “picicasset1″ password “bafVX9e9NUNzeysy4UCgBH5uADnJaY6ATQ==”
set pppoe name “*****” interface untrust
unset pppoe name “******” update-dhcpserver
set syslog config “******”
set syslog config “******” facilities local0 local0
set syslog config “*******” log traffic
set syslog src-interface trust
set syslog enable
unset log module system level debugging destination syslog
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server “0.0.0.0″
set ntp server backup1 “0.0.0.0″
set ntp server backup2 “0.0.0.0″
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp community “private1″ Read-Write Trap-on traffic version v1
set snmp host “private1″ ****** 255.255.255.255 src-interface trust trap v1
set snmp location “KHI”
set snmp contact “****”
set snmp name “*****”
set snmp port listen 161
set snmp port trap 162
set vrouter “untrust-vr”
exit
set vrouter “trust-vr”
unset add-default-route
exit
set vrouter “untrust-vr”
exit
set vrouter “trust-vr”
exit
regards,
Faizan
See, you need to first have a NAT in place (MIP/VIP) so that you can access your machine from outside world (internet).
Steps are:- as I have mentioned in the pdf file.
1. First create a MIP with a public ip and map it to your ISA’s internal ip address.
2. Then create a policy to allow traffic for the service VPN onto that address.
that’s it. done.
Cheers,
rsivanandan
Thanks… but can you please guide me also… how can i do that.. i m not that much familiar with Juniper Firewall
thanking you in advance…
Regards,
Faizan
Do you have a free public IP that you can use?
What is the internal IP address of the ISA server?
Cheers,
rsivanandan
internal IP address of ISA server is 192.168.100.5
i have prepared one ‘VPN’ rule for 3389… is that rule ok??
Regards,
Faizan
That would do, so what is the external public ip that you want to use? Or do you want to use the outside interface ip itself?
If yes, then look at the port forward tranlsation example I have in the document.
If you have a public ip, the look at the 1-1 translation in the document.
I have the policies as well in the same section. All you need to do is setup using that.
Cheers,
rsivanandan
Many thanks… sorry for late replying.. I have not checked it yet.. I will definitely try & then let you know…
Thank you so much for you kind co-operation.
Regards,
Faizan
Dear Rajesh,
I am still unable to do this… can you please help me… do you have any number so i can call you?…
Regards,
Faizan