Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Netscreen 25 DMZ zone

Status
Not open for further replies.
bdoub1eu

bdoub1eu

IS-IT--Management
Dec 10, 2003
440
US
I am new to the netscreen devices, so forgive me if this is a simple problem to solve.

We have a netscreen 25 and I'm trying to configure the DMZ zone. The trusted and untrusted are already configured, but we had the DMZ open. We are using the 10.3.x.x subnet and the trusted is 10.3.110.x. I want to make the DMZ probably 10.3.111.x. My question is how do I setup the netscreen? I assume I will have to:

1. Create the DMZ zone
2. Create policies from the untrust to the DMZ
3. Create plicies from the DMZ to trust
4. On other netscreen with policies already configured to the trusted side, create policies from those netscreens to the DMZ

Is this right? I know it sounds kinda easy, but again, I'm new to this and wanted a little direction...If I have an idea of what to do, I think I can figure it out...Thanks for all your help!!!
 
Sort by date Sort by votes
Your too funny!

First, create the Proxy object.
Top - Down (Policy)
Permit 80 to Proxy
Deny 80 to Untrust
Permit Any Any

This should do it. Cheers.

Rgds,

John
 
Upvote 0 Downvote
John, everything is working fine on the DMZ as far as VPN goes...But I can't surf the internet on that side. I created a policy for Any/Any from DMZ to untrust, but I think I need some sort of route for internet traffic to get from the DMZ to the internet...Any ideas? Other than that, the VPN is up and working great!
 
Upvote 0 Downvote
Hello,

Can you ping your Internet Router? How does the trace look?

Look at your routing table. Your DMZ subnet should be listed under the "untrust-vr" and should have at a minimum of two routes to work with: (examples below, 200.100.100.1 is the Internet Router IP)

+ IP=0.0.0.0/0 Gateway=200.100.100.1 Interface=ethernet3 Protocol=static Metric=1

+ IP=DMZ SUBNET Gateway=trust-vr Protocol=static Metric=0

This should allow your DMZ to rout to the "trusted" LAN and provide a default route (0.0.0.0/0) to your Internet Router.

Once this is in place, I would look at your policies.

Hope this helps.

Rgds,

John
 
Upvote 0 Downvote
John, you're on the ball dawg! Didn't expect to hear from you this soon...

This is what I have in my routing table: 10.3.111.0 is the DMZ...I initially did what you told me and it worked, then I started looking at it and since the trust vr is being used, it works this way as well. According to the netscreen knowledgebase, for DMZ private IP routing, I need to create a MIP from the DMZ to the internet...Below is what I've got in my routing table and VPN is working...Just can't browse the interent from DMZ...

untrust-vr

IP/Netmask Gateway Interface Protocol Metric Vsys
* 0.0.0.0/0 66.129.119.65 ethernet3 S 1 Remove

trust-vr

IP/Netmask Gateway Interface Protocol Metric Vsys Configure
* 10.3.110.0/24 0.0.0.0 ethernet1 C 0 -
* 66.129.119.64/27 0.0.0.0 ethernet3 C 0 -
* 0.0.0.0/0 66.129.119.65 ethernet3 S 1 Remove
* 10.3.111.0/24 0.0.0.0 ethernet2 C 0
 
Upvote 0 Downvote
Hello,

I'm sorry. I forgot that your DMZ is a private subnet. Mine is a publice net block. So it's just internet? DO PINGS get to your Internet Router? I thought the MIP was used for Inbound access? DO you have public traffic traversing to a DMZ host? If so, the MIP will be needed, and then we are talking Internet from that host?

I am a little confused as you can see...



Rgds,

John
 
Upvote 0 Downvote
John, yeah, it's a private network on the DMZ...Yeah, it's just internet access...VPN between the DMZ and my other sites are working fine...

It's as if the DMZ network doesn't know how to get to the internet as far as surfing goes...I cannot ping the internet router from the server in the DMZ...I read something on the Netcreen knowledgebase about if you have a private DMZ network, you have to have MIP from each of those private hosts to the internet and as you said, I alwasys thought MIP was for traffic coming in...Any ideas?

Thanks again for your help!

 
Upvote 0 Downvote
Hello,

How many hosts are on the DMZ? Creating MIPs is easy, and you can permit the traffic via an outbound policy.

Let me know.

Rgds,

John
 
Upvote 0 Downvote
John, right now, there is just one host (10.3.111.12) in the DMZ. Creating MIP's for inbound traffic to get to a specific host is what I'm used to (Creating the MIP on the untrusted interface to the trusted host)...

It's different in creating an outbound MIP (dmz host to internet router). Am trying to allow DMZ host 10.3.111.12 to access internet router x.129.119.65.

Thanks in advance!

 
Upvote 0 Downvote
Hello,

You should be able to just reverse it. Mapped IP = Internal Address - Host IP Address = Internet Router. Never have done this before...

Rgds,

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
145
gbayi_omo
gbayi_omo
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
189
kythri
kythri
ITSurvivor
  • Locked
  • Question
Newbie On Netscreen 25
Replies
0
Views
98
ITSurvivor
ITSurvivor
sabin808
  • Locked
  • Question
TZ205 | Unable to ping WAN IP from LOCAL ZONE
Replies
0
Views
110
sabin808
sabin808
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
117
joepc
joepc

Part and Inventory Search

Sponsor

Back
Top