Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Change a ns100 to ns208

Status
Not open for further replies.
Semperfi2004

Semperfi2004

IS-IT--Management
Mar 27, 2006
56
US
all;
I changed out an NS100 for a NS208. I took the config on the NS100 and modified it to work on the NS208.
When we hooked up the NS208, I wasn't able to ping anything internally or externally. All Interfaces showed Up Up.
Does anyone know of any reason, why this wouldn't work ? below is my config. I did take out all VPN's, MIP, DIP's etc.. Below is the basic config on the NS208 that was modified from the NS100
thanks

set clock timezone -4
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netsceen"
set admin password "nM6+CDrdNmVCckBDEsNJEmEtoMFrLn"
set admin port xxxxx
set admin mail alert
set admin mail server-name "mail.xxxx.com"
set admin mail mail-addr1 "mail@xxxx.com"
set admin mail traffic-log
set admin auth timeout 60
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet1 phy full 100mb
set interface ethernet2 phy full 100mb
set interface ethernet3 phy full 100mb
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "ethernet8" zone "Null"
unset interface vlan1 ip
set interface ethernet1 ip 10.1.1.254/22
set interface ethernet1 nat
set interface ethernet1 ip 10.1.10.0 255.255.255.0 secondary
set interface ethernet2 ip 10.9.8.1/24
set interface ethernet2 nat
set interface ethernet3 ip 12.1.1.254/24
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage web

set flow tcp-mss
set flow path-mtu
set domain xxxxx.com
set hostname ns208

set ike respond-bad-spi 1
set ike soft-lifetime-buffer 15

set dns host dns1 10.1.1.162
set dns host dns2 10.1.1.161
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set syslog config "10.1.1.52"
set syslog config "10.1.1.52" facilities local0 local0
set syslog enable
set ssh version v2
set config lock timeout 5
set snmp community "xxxxxxxx" Read-Only Trap-on version v1
set snmp host "xxxxxxx" 10.1.1.16 255.255.255.255 trap v1
set snmp name "ns100"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet3 gateway 12.1.1.1
exit
 
Sort by date Sort by votes
Hi,

Are you switches configured for 100/Full as well? If not, I would hard code them to match the Firewall. I would also change the interfaces to route mode and handle NAT via Policy. I didn't see an outbound policy in your config. Try "get pol". Then "get pol id xx". Check to see if NAT is enabled. Also, when you ping try to specify your source interface. It may be an issue from one and not the other. For example, "ping 12.1.1.1 from e1" and "ping 12.1.1.1 from e3".

Hope this helps.

Rgds,

John
 
Upvote 0 Downvote
Hey Packet7, yea, they are config'd at 100.. I am thinking this weekend, I will try and implement the ns208 again. However, I never did clear the ARP, you think that could have been the issue ?
thanks
 
Upvote 0 Downvote
Hi,

Yes, you can try to clear the arp. I would also check your policy to make sure it's configured for NAT (use interface).

Rgds,

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
323
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
336
Johnkite
Johnkite
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
275
Sparrow4
Sparrow4
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
284
nnaarrnn
nnaarrnn
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
176
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top