Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

5XT config at new location

Status
Not open for further replies.

Whooaahh

IS-IT--Management
Oct 23, 2007
1
US
We moved and took our NS 5XT with us and were able to move the internest service with us. With the ISP we have 10 Static IPs all sequential. At the old location, I unplugged everything, packed it up and moved it to the new location. After the ISP got the internet connection back up, I hooked everything up and seem have issues.

Here is the setup
IPs from ISP (not the real ones, replaced first 3 octets with 1.1.1.x)
1.1.1.112-1.1.1.121/24
Untrust 1.1.1.12
Untrust Manage-IP 1.1.1.113
Trust 10.1.2.1/24
Trust Manage-IP 10.1.2.2

No computer connected to Trust can get internet access, but if I telnet to 10.1.2.2 and login, I can ping anything on the internet, including 1.1.1.1 (the ISP Default Gateway) and 4.2.2.2

I checked the trust-vr routes and 0.0.0.0/0 is set for 1.1.1.1 ( ISP Default Gateway) on Untrust.

Here is some config that should be of use. The missing parts are things such as other policies, MIPs, reserved DHCP settings, Services, and other logging options.

Thanks for all the help.

set clock ntp
set clock timezone -8
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
...
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
...
set admin scs password disable username xxxxx
set admin mail server-name "xxxxxxxxxxx.com"
set admin mail mail-addr1 "xxxxxxxxxxx.com"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
unset admin device-reset
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
...
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.1.2.1/24
set interface trust route
set interface untrust ip 1.1.1.112/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.1.2.2
set interface untrust manage-ip 1.1.1.113
unset interface trust ip manageable
unset interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
unset interface vlan1 manage telnet
...
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
...
unset snmp auth-trap enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr"
exit

 
Hi,

I would try to add NAT to your trust to untrust policy.

Rgds,

John
 
2 options :
Add NAT to your trust to untrust policy :
set policy from trust to untrust any any any nat src permit


or just set your trust interface in nat mode instead of router mode...

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top