Question : Juniper DMZ configuration

Hi,


I have one server NIC connected to the LAN and trying to add second server NIC to the DMZ. DMZ is configured on Juniper ethernet0/1.

Win server has 2 NIC with IIS enabled on port 80 for both NIC.
192.168.100.8 with gateway 192.168.100.1 (connected to LAN)
192.168.101.8 without gateway (connected to Juniper DMZ port)

In Juniper 29 range is splited into two 30 ranges (25.26.10.42-25.26.10.43 and 25.26.10.44-25.26.10.47)
IP of untrust interface is 25.26.10.42/30

I cannot figure it out why below DMZ configuration on Juniper firewall doesn't work:

DMZ is configured as:

set interface ethernet0/1 ip 25.26.10.45/30  

set group service "Web_Services" add "HTTPS"  
set group service "Web_Services" add "HTTP"

set address "DMZ" "httpserver1" 192.168.101.8 255.255.255.255

set group address "DMZ" "Web_Sites"
set group address "DMZ" "Web_Sites" add "httpserver1"

set policy from "Trust" to "DMZ"  "Any" "Web_Sites" "Web_Services"  permit log count
set policy from "Untrust" to "DMZ"  "Any" "Web_Sites" "Web_Services"  permit log count  
set policy from "DMZ" to "Untrust"  "Web_Sites" "Any" "Web_Services"  permit log count

set interface "ethernet0/0" mip 25.26.10.45 host 192.168.101.8 netmask 255.255.255.255 vr "trust-vr"

set policy id 12 from "Untrust" to "DMZ"  "Any" "MIP(25.26.10.45)" "Web_Services" permit log count

Best,
RockBob

Answer : Juniper DMZ configuration

To add to digitab, he's spot on.

You could do source nat on your:

set policy id 12 from "Untrust" to "DMZ"  "Any" "MIP(25.26.10.45)" "Web_Services" permit log count

policy, so the DMZ nic of your server will only "see" the juniper-dmz-interface talking to it.
You better take the default gateway off of the "internal" nic and put it on the "dmz" nic, and route the internal network via static routes on that machine.

However, may i point out i suggest you be really carefull with a "dual nic" config like that.
The purpose of a dmz is to isolate hosts, having a server with nic in both trust and dmz is generally considered "bad practice", i would reconsider your options.

Cheers,