Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...Really appreciate your site. Really good site for learning what others do when they run into problems. You guy's are great!!!..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > MIS/IT > Security Solutions > NetScreen solutions Forum

5XT config at new location

thread907-1420282
Read More Threads Like This One
Whooaahh (IS/IT--Management)
23 Oct 07 23:31
We moved and took our NS 5XT with us and were able to move the internest service with us. With the ISP we have 10 Static IPs all sequential. At the old location, I unplugged everything, packed it up and moved it to the new location. After the ISP got the internet connection back up, I hooked everything up and seem have issues.

Here is the setup
IPs from ISP (not the real ones, replaced first 3 octets with 1.1.1.x)
1.1.1.112-1.1.1.121/24
Untrust 1.1.1.12
Untrust Manage-IP 1.1.1.113
Trust 10.1.2.1/24
Trust Manage-IP 10.1.2.2

No computer connected to Trust can get internet access, but if I telnet to 10.1.2.2 and login, I can ping anything on the internet, including 1.1.1.1 (the ISP Default Gateway) and 4.2.2.2

I checked the trust-vr routes and 0.0.0.0/0 is set for 1.1.1.1 ( ISP Default Gateway) on Untrust.

Here is some config that should be of use. The missing parts are things such as other policies, MIPs, reserved DHCP settings, Services, and other logging options.

Thanks for all the help.

set clock ntp
set clock timezone -8
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
...
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
...
set admin scs password disable username xxxxx
set admin mail server-name "xxxxxxxxxxx.com"
set admin mail mail-addr1 "xxxxxxxxxxx.com"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
unset admin device-reset
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
...
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.1.2.1/24
set interface trust route
set interface untrust ip 1.1.1.112/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.1.2.2
set interface untrust manage-ip 1.1.1.113
unset interface trust ip manageable
unset interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
unset interface vlan1 manage telnet
...
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
...
unset snmp auth-trap enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr"
exit
Packet7 (IS/IT--Management)
24 Oct 07 8:25
Hi,

I would try to add NAT to your trust to untrust policy.

Rgds,

John
peterve (IS/IT--Management)
1 Nov 07 7:45
2 options :
Add NAT to your trust to untrust policy :
set policy from trust to untrust any any any nat src permit


or just set your trust interface in nat mode instead of router mode...

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
https://petersblog.dyndns.org:8899
---------------------------------------------------------------
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To NetScreen solutions

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close