Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - screenie.

Pages: 1 ... 61 62 63 64 65 [66]
H'mm when you configure bandwith settings on a policy it's realy the same for both flows of the session. In that sense it is bi-directional. What define for downstream you get on up stream.  Of course you can put BW on inbound policy but then outboud return packets get the same settings. That's what a menat with bi-directional.


Routers / Re: How many JNCIE(s)?
« on: December 15, 2007, 11:47:58 am »
They only place I've seen it is in certmanager, but only on the page listing your own certification.

NetScreen and SSG/ISG Series Firewalls / Re: NSRP + BGP
« on: December 15, 2007, 11:14:38 am »
Be carefull to use version 6. In 5.4 bgp (or ospf) is * * not * * synchronised by NSRP.

Then (just thinking about it, never tried it) place two fibre int in both devices. (just install a multiple fibre card in both)

Of course you need a public range of IP adress.

Configure BGP peers for both ISP's, only one works ofcoure, but in failover the otherone will work.
import only export your public IP's, should work.

Becouse of changing outgoing interface sessions will die in failover, so configure a big preempt holddowntime! Also allow I acspect a minute or so for things to work again afterfailover. Just t5est it!


NetScreen and SSG/ISG Series Firewalls / Re: Viewing logs on VPN tunnel
« on: December 15, 2007, 09:37:56 am »
If your tunnel is in trust and your traffic is coming from there Firewall72 is absolutly right, no policy is needed, so no logging can be seen. Two way of overcomming this:

1 Enable zoneblock on trust and define a any any any permit policy from trust to trust

2 Create a custom VPN zone and place tunnel interface in this zone. Create policies (both direction if needed!!) from trust to this zone, with logging.

Hope this helps.


NetScreen and SSG/ISG Series Firewalls / Re: NS-25 to Cisco ASA VPN
« on: December 15, 2007, 09:26:49 am »
I dealed with it once. The "other party" configured it in such a way that proxy id was a range. That's somting we can't match. So I asked them to allow just 1 ip adress. Pit this address on tunnel interface, source nated all IP behind this address, filed in proxy ID with this adress /32 mask. This worked.

In general: Just let the otherside initiate the connection and look in the logs what's comming in and match it.

The one relay import thing in IPSEC is that paramters must match the otherside.

NetScreen and SSG/ISG Series Firewalls / Re: configuration SSG 550
« on: December 15, 2007, 09:20:21 am »

all interface setup is decribed here: but: I'm not aware of framerelay interfaces! What interface are you using?


NetScreen and SSG/ISG Series Firewalls / Re: 1 Trust 3 Untrust on SSG140
« on: December 15, 2007, 09:08:53 am »
Probaly you defined static routes as permanent? This means a route stays active in the routingtable even when the outgoing interface is down.

Furhermore I advise with 3 outbound interfaces to use policybased routing (available since ScreenOS 5.4) to direct specific protocols the right direction. Problem here could be the dynamic adresses. Try to arange for fixed adresses with your ISP. They still can hand then out with offcourse. As long as you keep getting the same next-hop address all is fine.



Just filter on it! in gui go to virtual router klick on trust-vr. There you'll find access list you fill in and reference in route-map.


NetScreen and SSG/ISG Series Firewalls / Re: OSPF on a NS25
« on: December 15, 2007, 05:25:53 am »
Two ISP's and the same area? Then the two ISP's should also connect to eachother! OSPF with your ISP is very unusual anyway. When running dynamic routing with a ISP one would go for BGP normaly in my humble opinion.

Every thing you configure is bi-directional. I think this makes it's hard to configure what you want.

NetScreen and SSG/ISG Series Firewalls / Re: Tunnel within a tunnel
« on: December 14, 2007, 02:40:14 pm »
Nating in policy-based VPN??  Very interesting, I don't think it can be done. As far as I know only with routebased VPN, with numbered tunnel interfaces.

NetScreen and SSG/ISG Series Firewalls / Re: Traffic Shaping SSG550M
« on: December 14, 2007, 02:37:47 pm »
Is this in gui or also in CLI ?

If I understand it well you're creating asyn routing Routing to the MS-vpn goes via your netscreen. Route back directly. ScreenOS doersn't like this....  It's not wise but you could configure ScreenOS to ignore this bt disabling tcp syn check:

unset flow tcp-syncheck


NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS 6.0.0r3
« on: November 18, 2007, 12:01:49 pm »
It's a bug. Report to your JTAC and you can get a bug-fix.

Did you try a smaller Max Seg size? Set flop tcp mss should do the trick!

Pages: 1 ... 61 62 63 64 65 [66]