Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VIP to a different subnet possible? basic setup question

Status
Not open for further replies.

imnotadj

IS-IT--Management
Aug 9, 2006
7
AU
I've just installed a new netscreen 25 and need a bit of help.

I've setup the untrust interface to obtain an IP via DHCP using PPPOE The trust interface is set to 192.168.53.2 The gateway server has two nics the firewall facing interface has an ip of
192.168.53.4 and the LAN interface has an ip of 10.0.0.10

I have a mail server on 192.168.53.4 and have setup a VIP service to it and it works fine I have a RAS server on 10.0.0.202 and have setup a VIP service for it and i am getting no traffic at all.

How do i setup the netscreen so that it will route traffic for 10.0.0.x from the trust 192.168.53.2....if that makes any sense at all

so in the past i just had the gateway box doing NAT to the RAS box...i've tried turning NAT off on that interface but it dosent work.

Regards,
 
i cant ping anything in the 10.0.0.x range from the netscreen, i've added a route :
* 10.0.0.0/32 ethernet1 SP 20 1 Root

But that doesnt work...how do i tell the Netscreen to route all 10.0.0.x down the 192.168.53.x trust interface so the gateway can then NAT to the hosts in the 10.0.0.x subnet?
 
These are the routes i have:

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 16 0.0.0.0/0 eth3 172.18.112.99 C 0 1 Root
* 18 10.0.0.0/32 eth1 192.168.53.4 SP 20 1 Root
* 2 192.168.53.2/32 eth1 0.0.0.0 H 0 0 Root
* 3 xxx.xx.xx.xx/32 eth3 0.0.0.0 C 0 0 Root
* 4 xxx.xx.xx.xx/32 eth3 0.0.0.0 H 0 0 Root
* 1 192.168.53.0/24 eth1 0.0.0.0 C 0 0 Root


I cant ping the RAS server from the Netscreen
I can access the internet and also ping the trust interface of the netscreen from the RAS server
I have NAT entries on the gateway (192.168.53.4) pointing to 10.0.0.202 for ports 1701 and 1723

I'm not even seeing a packet count on the policies i have setup when i attempt a RAS connection.

Some more info....

ns25-> get poli
Total regular policies 4, Default deny.
ID From To Src-address Dst-address Service Action State ASTLCB
4 Untrust Trust Any VIP(etherne~ L2TP Permit enabled ---XX-
3 Untrust Trust Any VIP(etherne~ VPN PPTP Permit enabled ---XX-
2 Untrust Trust Any VIP(etherne~ MAIL Permit enabled ---XX-
1 Trust Untrust Any Any ANY Permit enabled ---XXX
ns25-> get vip
Virtual IP Interface Port Service Server/Port
xx.xxx.xx.xx ethernet3 25 MAIL 192.168.53.4/25(OK)
xx.xxx.xx.xx ethernet3 1701 L2TP 10.0.0.202/1701(OK)
xx.xxx.xx.xx ethernet3 1723 VPN PPTP 10.0.0.202/1723(OK)
ns25->
 
Hi, sounds like a routing problem.. Is the Gateway server configured as an IP Forwarder? If not, this must be enbaled first. If you don't know how to do this, reply and Ill send you instrusctions. Also, are all the clients (on the 10.0.0.x network) that need access through the netscreen pointing at the 10.0.0.10 address of the Gateway server in order to get to the 192.168.53.x network? If not, they need to..

Darren Campbell
Technical Design Architect
 
Hi, yes the gateway knows what to do with the traffic and all of the clients point to 10.0.0.10 and have access to the public internet.
I've run a packet capture on the 192.168.53.4 interface of the gateway and i cant see any L2TP/PPTP traffic at all. But i am sort of expecting this due to the fact that there no entries in the netscreen log either.

My hunch is the netscreen is just dropping the packets because it has no idea what to do with them...

Regards,
 
One thing i have found is i had the 10.0.0.0 route as a /32 so i've changed that to a /24...but it's still not working
 
Hi,

Sorry, but are you saying that if you initiate a Ping from the 10.0.0.x network to the internal interface of the netscreen and run a Sniffer out of the back of the gateway server, you observe no traffic?

Darren Campbell
Technical Design Architect
 
Hi,
Yes i see traffic...just no inbound L2TP/PPTP
 
problem fixed.....user error
i just pointed the vip at 192.168.53.4 instead of 10.0.0.202...logic abandoned me for a while there
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top