Can't ping trusted computers from NS-5

[shadowmn]

I've got an original Netscreen 5 that I am using to connect to my companies Netscreen 100. I've got a DSL connection with PPPOE. I've got a manual key set up on both sides and the tunnel appears to be working properly. The NS-5 is a DHCP server for my internal network on the trusted side and is successfully NATing, allowing all internal computers to access the Internet. It is the default gateway for my internal network. Pretty much everything is enabled on the trusted side (ping, SSL, WebUI, etc.). The WebUI is enabled on the untrusted side, and is accessible.

I want to enable syslogging on the NS-5. Unfortunately, even though I point the NS-5 to an IP on the trusted side, the Netscreen acts as though it can't see anything on the trusted side (can't ping trusted IPs from the Netscreen). I've configured 2 NS-5s and ended up with the same problem. Obviously there is something I'm missing. The NS-5 must be aware of the internal computers, or it wouldn't be able to NAT for them, but it just isn't able to ping trusted side computers.

Is there something I need to enable to allow the Netscreen to see (ping) the internal IP addresses?


For clarity's sake, here is an idea of my configuration:

Internal computers <--> Switch <-->(t)NS-5(u)<-->DSL modem

Thanks for any help you can offer.

Nadeem

 

[DarkHat]

Make a rules into your netscreen 5 about ping... something like any-any-ping-permit and enable the logging...
Check your logs, maybe you will see something wrong ?

I know it's not a solution, but maybe it can help...

 

[nossah]

You may want to try this command using the CLI.

ping 192.168.1.5 from trust

I have a NS5 and never had this problem. If this doesn't work then we can look at your config.

 

[shadowmn]

nossah & Darkhat,

Thanks for your replies. I've looked in the logs and I haven't seen much of anything that tells me why I can't ping from the NS5.

I've the ping from the CLI with the &quot;from trust&quot; added on to no effect. The funny thing is that I am telneting into the netscreen from the machine I am trying to ping. It has no firewall software that would interfere with communication from the NS5.

I'm using software version 2.6.1r11.1.

The NS5 is configured for DHCP for hosts on the trusted side and has allocated IP addresses to them.

There is no Management IP or System IP.

In the Interface Configuration, the IP address (10.250.250.1) and the Netmask (255.255.255.0)are configured for the trusted interface for the same subnet that the internal hosts are configured to be allocated via DHCP (10.250.250.10-10.250.250.20). The default gateway is blank since it won't let me put the NS5 trusted IP in there. The interface mode is set to NAT and everything is checked off under management services except NS-Global & NS-GlobalPRO.

The untrusted interface is configured for PPPOE and has an external IP allocated. The Web interface is enabled on the untrusted side.

The VPN is Manual Key with a reciprocal key configured on the NS100 at work, and appears to work fine.

Incoming Policy allows Terminal Services and VNC from where I work (Action=Tunnel)

Outgoing Policies include Inside Any to Work (Action=Tunnel)and Inside Any to Outside Any (Action=Permit). I have a policy called Inside Any to Banned IPs (Action=Deny) but it is disabled.

Let me know if there is anything else you need to know.

Thanks again for your help.
Nadeem