Routing to Trusted network from untrusted

[Trancemission]

Hello,

I am attempting to test netscreen firewalls but am having trouble from with routing to the private network behind the device.

I want to test and configure SNMP traps that are sent when attacks take place but I cannot access any devices behind the FW from the 'internet' to the trusted interface. Obvioulsy that is the idea but my network here makes it difficult to have public addresses and acces to the snmp management host. Anyways......


I have my 'public' address configured and this was set-up via the GUI. Routing has been added to the Trust VR.
I added routes to the Untrust VR and set the Untrust Int to use this. I have both netwokrs in their respective tables, I have routing between the 2 [Ie the untrusted send s to the Trust router for my private network]

FW policies allow total cross zone access.

When I add a static route to my laptop [which is on the same subnet as my public interface] to forward my private network to the netscreen nothing happens. Trace's fail at first hop. I can arp from my laptop and netscreen and bother see each other. Pings work fine, I can even manage via the web on my public interface.

I have got to the stage where I am pulling my hair our [normally means something simple I am missing ] So any help/pointers would be great.

I can show the config if required.

Cheers


Trancemission
=============
If it's logical, it'll work!

 

[dmandell]

Let me see if I get you correctly. you would like to access a device in your private network on a specific port from outside of the firewall?

If this is the case, look in the netscreen manual at the "port forwarding" examples.

If you are operating in NAT mode and you have more than one public (untrusted) IP available. you can create a mapped IP and set a policy to allow anything you want through the firewall to that internal IP.

Hope this helps,
Dana

 

[Trancemission]

Thanks for your reply but it is not quite what I am after.

I want the firewall to act as a router. I thought this may be possible if I make my Private netwok [connected to trusted interface] available in my untrusted VR Router and set my untrusted interface to use this VR.

I know in real world this would not be normal practise, but I am only testing SNMP traps

Many Thanks

Trancemission
=============
If it's logical, it'll work!

 

[dmandell]

Yeah, I think I get what you are saying, but I agree, I don't think it's an option, because in the real world, it wouldbreak the "rules" of the firewall.

Dana

 

[Trancemission]

Would that that be becuase they are Designated private IP Addresses.

When I get back in the office I will add all Public IP and try

Cheers


Trancemission
=============
If it's logical, it'll work!

 

[dmandell]

no, I don't think the netscreen cares what address space in inside or outside the firewall.

 

[Trancemission]

Not sure on this one now, I have now used public IP addresses and all works fine ?!?

As a test I tried a ping from the console port, using the trusted as the source and tried to ping the untrsuted network. It didn't work when using Private IP's.

Works fine with pubic, I think my config was the same :-o.

Moving on, I need to get my testing completed and now I am having trouble with SNMP traps have you any experiance with these? I am going to create a new topic for this.

Many Thanks



Trancemission
=============
If it's logical, it'll work!