Netscreen 5xp

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[timeshadowrider]

Hi,

I have an old netscreen 5xp that I cant get to access the internet.

FYI - I'm not a network admin

if Anyone has a working config that they could post that would be Great!!

This is what the wizard set up....

set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.1/24
set interface trust nat
set interface untrust ip 67.170.189.130/22
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option gateway 192.168.2.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname hsd1.wa.comcast.net.
set interface trust dhcp server option dns1 68.87.69.150
set interface trust dhcp server option dns2 68.87.85.102
set interface trust dhcp server ip 192.168.2.10 to 192.168.2.126
set interface untrust dhcp-client enable
set interface trust dip 4 192.168.2.10 192.168.2.100
set flow tcp-mss
set domain hsd1.wa.comcast.net.
set hostname ns5xp
set dns host dns1 68.87.69.150
set dns host dns2 68.87.85.102
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 3 from "Untrust" to "Trust"  "Any" "Any" "ANY" nat src dip-id 4 permit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src dip-id 4 permit traffic gbw 10000 priority 7 mbw 10000
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

[marty]

Your trust interface is already in NAT mode why are you again doing a NAT Src in the Trust to Untrust policy ?

From the device are you able to ping the internet any ip on the internet ?

Hope the routing is fine on the device.

[timeshadowrider]

I dont know about the ping I can check that later today, but with IE google will not load and MSN Messenger does not login automaticly. I would not think it would be a DNS issues sine in the gui its pulling the DNS from Comcast. I was thinking that its not routing from Trust to Untrust.

[timeshadowrider]

I just did a ping test from the cmd line in windows and the response is:

ping request could not find host www.google.com

[timeshadowrider]

just did a tracert and the response is the same for the most part:

unable to resolve target system name www.google.com

[timeshadowrider]

Its like I have no gateway:

IP/Netmask              Gateway            Interface     Protocol           Metric Vsys Configure
* 192.168.2.0/24        0.0.0.0               trust              C               0            Root  -
* 10.0.0.0/24             0.0.0.0              untrust            C             0             Root  -
* 0.0.0.0/0               10.0.0.1               untrust            C           1             Root  -

[marty]

You pinged the hostnames try pinging an IP from the NetScreen, instead of google.com try pinging the IP address from NS, you cant ping a hostname from the NS.

Also did you try removing the NAT Src from the trust to untrust policy ?

[timeshadowrider]

I did remove the Nat and its still not letting me connect.

[timeshadowrider]

I purchased a console cable and I was able to ping from the device. pinged 4.2.2.1 and it came back 100% so if I have internet on the untrust how do I get it to the trust connection...

Is there a sample config that I can use? I have been trying the setup guide but it does not match the gui

[timeshadowrider]

dont know what I did, but I got it working

[marty]

Ok good to know it worked now...but strange enough we do not know what made it work...hope there was not a cabling issue or some issue from your ISP side.

[carthman]

I suspect the "set zone Untrust block" in the config is what caused the issue.

If you do a "get zone untrust" you should be able to see if it is still enabled or not.

[mindwise]

Well, you sorted it already, good stuff.....
some (late) notes

I suspect the "set zone Untrust block" in the config is what caused the issue.

If you do a "get zone untrust" you should be able to see if it is still enabled or not.

The untrust zone has the 'block' option on by default, and since he's going from trust to untrust, it's irrelevant (or should be )

The dip id used in the policy ID 1 cannot be correct since the egress interface for that policy is the untrust one, and the dip is on the trust interface. -> remove that dip from the policy, replace with "none, use interface ip" (or s'thing that sounds simmilar.

Also, your guarenteed and max bandwidth are equal, i'd start of by removing those settings too.
Let's get internet working first, you can always brake it by adding fancy stuff later

============

you cant ping a hostname from the NS.

(hostname = fqdn in this case (www.google.com)).

?
Sure you can......
www-> ping www.google.com count 20 from eth2
Type escape sequence to abort

Sending 20, 100-byte ICMP Echos to www.google.com [66.102.13.99], timeout is 1 seconds from ethernet2
!!!!!!!!!!!!!!!!!!!!

However, timeshadowrider was pinging from a cmd box, not from a telnet session to the netscreen

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• SRX-210H port-mirroring s... by ociz [Today at 02:14:13 PM]
• configs out of sync by ciscler [Today at 01:11:30 PM]
• Monitoring user bandwidth... by x0rerror [Today at 12:30:20 PM]
• NSRP active/passive with ... by junreaper [Today at 08:41:52 AM]
• Ladies’ fashionable shoes... by fivefingers8 [Yesterday at 06:54:36 PM]
• Routing Traffic From Cust... by fivefingers8 [Yesterday at 06:52:49 PM]
• Load balancing on J-serie... by fivefingers8 [Yesterday at 06:49:46 PM]
• Juniper SSG or other bran... by whoppi [Yesterday at 11:23:49 AM]
• NS25 and NS Remote - Want... by mbrown [Yesterday at 10:38:14 AM]
• Netscreen SSG Policy base... by thisisnuts999 [Yesterday at 07:01:01 AM]

Members

• Total Members: 22068
• Latest: vu.luu@flysfo.com

Stats

• Total Posts: 39593
• Total Topics: 10459
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 29
Total: 30

eagq