|
Home > Archive > VPN > December 2006 > Netscreen 5xp Setup Help
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Netscreen 5xp Setup Help
|
|
| Mousemen 2006-11-25, 1:17 am |
| I am trying to setup a netscreen 5xp. I can get an ip on the untrust side
from the cable modem and an ip on the trust side to the network but I am
unable to access the internet.Anyone that can help someone new to this would
be appreciated.Below is a copy of the trust ip settings. I dont know if I
have the manage ip.trust ip and gateway setup correctly.
ns5xp-> get interface trust
interface trust, mode nat, down
ip 192.168.1.252/255.255.255.0 gateway 192.168.1.254, mac 0010.db0e.6810
gateway 192.168.1.254, manage ip *192.168.1.254, mac 0010.db0e.6810
ping enabled, telnet enabled, SCS enabled, SNMP enabled
NS-Global enabled, Global-Pro enabled, web enabled, ident-reset disabled
SSL enabled
bandwidth: physical 10000kbps, configured 0kbps, current 0bps
total configured gbw 0kbps, total allocated gbw 0kbps
| |
| Doug McIntyre 2006-11-25, 1:17 am |
| "Mousemen" <mousemen@you.com> writes:
>I am trying to setup a netscreen 5xp. I can get an ip on the untrust side
>from the cable modem and an ip on the trust side to the network but I am
>unable to access the internet.Anyone that can help someone new to this would
>be appreciated.Below is a copy of the trust ip settings. I dont know if I
>have the manage ip.trust ip and gateway setup correctly.
>ns5xp-> get interface trust
>interface trust, mode nat, down
Why is the trust interface down? Thats your first hurdle.
| |
| Mousemen 2006-11-25, 7:11 pm |
| Its down as I took it of the network temporarily until I can get someone to
help me with it. I just pulled up the settings from that to see if I messed
up the trust ip's/. Not sure if I got the manage ip, trust ip and gateway
correct. When its connected to the cable modem it will pull an ip from
that.I'll hook up my laptop to it and it will get an ip.I can use the webgui
to get to the management screens buts as far as it will let me get. Can't
get out to the internet with it. Do I need to setup the bandwidth useage
(how if so?) or any other policies. I have had it reset to default. I
connected the terminal cable to it to only pull the settings on the trust
side incase someone notices something there.
"Doug McIntyre" <merlyn@geeks.org> wrote in message
news:4567e471$0$41776$892e0abb@auth.newsreader.octanews.com...
> "Mousemen" <mousemen@you.com> writes:
>
>
>
> Why is the trust interface down? Thats your first hurdle.
>
| |
| Doug McIntyre 2006-11-26, 1:12 pm |
| "Mousemen" <mousemen@you.com> writes:
>Its down as I took it of the network temporarily until I can get someone to
>help me with it. I just pulled up the settings from that to see if I messed
>up the trust ip's/. Not sure if I got the manage ip, trust ip and gateway
>correct. When its connected to the cable modem it will pull an ip from
>that.I'll hook up my laptop to it and it will get an ip.I can use the webgui
>to get to the management screens buts as far as it will let me get. Can't
>get out to the internet with it. Do I need to setup the bandwidth useage
>(how if so?) or any other policies. I have had it reset to default. I
>connected the terminal cable to it to only pull the settings on the trust
>side incase someone notices something there.
Okay, there wasn't enough config/status posted in your first message
to determine if something was right or wrong or what the problem was,
other than you were showing the interface as down.
Otherwise, the bit you posted looked okay.
First steps to troubleshoot your problem.
Make sure you can ping outwards from the firewall and get to your
next-hop gateway.
Make sure that you have a default static route installed.
Make sure that you have a policy from Trust->Untrust allowing All-All-Any.
(not every network wants this policy, but it is a default policy, and
lets outbound traffic get out).
If you are doing NAT (IIRC, you were), make sure the default any
outbound policy has the NAT flag checked.
You do NOT need to worry about bandwidth setup, or logging or usage at
this point. Your basic setup is to put the IPs on the interfaces,
setup the default route, and check on your policies. The policies and
interfaces are what you need to worry about starting out.
| |
| Mousemen 2006-11-27, 1:15 am |
| Ok. Everything was setup right from what I could tell. From what I could
tell I had to change the bandwidth on the trust interface from 0 to
something.I matched the untrust and trust with 1024 and it works.I was able
to ping but unable to move traffic thru the web browser, Now I have to get
help on the vpn setup.I dont know if this is possible but I would like to
setup a group and then just add users as I need or take away.I am
essentially trying to learn this and a cisco pix501 to be able to set them
up and have multiple sites connected together.
"Doug McIntyre" <merlyn@geeks.org> wrote in message
news:4569c07e$0$41738$892e0abb@auth.newsreader.octanews.com...
> "Mousemen" <mousemen@you.com> writes:
>
> Okay, there wasn't enough config/status posted in your first message
> to determine if something was right or wrong or what the problem was,
> other than you were showing the interface as down.
>
> Otherwise, the bit you posted looked okay.
>
> First steps to troubleshoot your problem.
>
> Make sure you can ping outwards from the firewall and get to your
> next-hop gateway.
>
> Make sure that you have a default static route installed.
>
> Make sure that you have a policy from Trust->Untrust allowing All-All-Any.
> (not every network wants this policy, but it is a default policy, and
> lets outbound traffic get out).
>
> If you are doing NAT (IIRC, you were), make sure the default any
> outbound policy has the NAT flag checked.
>
>
> You do NOT need to worry about bandwidth setup, or logging or usage at
> this point. Your basic setup is to put the IPs on the interfaces,
> setup the default route, and check on your policies. The policies and
> interfaces are what you need to worry about starting out.
>
>
| |
| Mousemen 2006-11-30, 1:14 am |
| There has been a new development on this that is not makeing sense to me.
Moved the netscreen to a new location that has static ip's/ Now it will only
get on if I type in the ip address of the site not the dns url. Its having
an issue resolving addresses. The old location it was set to go out thru a
linksys router.Put in the static ip's for that network and gateway as the
linksys address. All worked there. New location has static ip's on a dsl
account. Heres the layout. DSL comes in to netopia that has dhcp and nat
turned off. 2 other routers connect thru by setting up the ip's and dns
servers (Belkin.Netgear) Those work just fine. In the netscreen put in the
static ip's on the untrust side with the gateway set to the netopia just
like the other routers.Put in the dns server given by the isp. I can ping
the gateway and outside world only by ip. I can go to sites if I type in the
ip address. Put in a url and it can't go. Changed dns to the gateway and to
the trust side ip still the same. Now if the same settings work in the other
routers why is this having an issue resolving correctly.
Internet > DSL modem > switch> 3 routers. (belkin. netgear.work fine)(NS not
resolving addresses.)
Policy on outgoing is set to any just like it was before. Any ideas or help
is appreciated.
"Mousemen" <mousemen@you.com> wrote in message
news:EbadnWvVsPIz4ffYnZ2dnUVZ_qWdnZ2d@co
mcast.com...
> Ok. Everything was setup right from what I could tell. From what I could
> tell I had to change the bandwidth on the trust interface from 0 to
> something.I matched the untrust and trust with 1024 and it works.I was
> able to ping but unable to move traffic thru the web browser, Now I have
> to get help on the vpn setup.I dont know if this is possible but I would
> like to setup a group and then just add users as I need or take away.I am
> essentially trying to learn this and a cisco pix501 to be able to set them
> up and have multiple sites connected together.
>
>
> "Doug McIntyre" <merlyn@geeks.org> wrote in message
> news:4569c07e$0$41738$892e0abb@auth.newsreader.octanews.com...
>
>
| |
| Doug McIntyre 2006-11-30, 7:15 pm |
| "Mousemen" <mousemen@you.com> writes:
>There has been a new development on this that is not makeing sense to me.
>Moved the netscreen to a new location that has static ip's/ Now it will only
>get on if I type in the ip address of the site not the dns url. Its having
>an issue resolving addresses. The old location it was set to go out thru a
>linksys router.Put in the static ip's for that network and gateway as the
>linksys address. All worked there. New location has static ip's on a dsl
>account. Heres the layout. DSL comes in to netopia that has dhcp and nat
>turned off. 2 other routers connect thru by setting up the ip's and dns
>servers (Belkin.Netgear) Those work just fine. In the netscreen put in the
>static ip's on the untrust side with the gateway set to the netopia just
>like the other routers.Put in the dns server given by the isp. I can ping
>the gateway and outside world only by ip. I can go to sites if I type in the
>ip address. Put in a url and it can't go. Changed dns to the gateway and to
>the trust side ip still the same. Now if the same settings work in the other
>routers why is this having an issue resolving correctly.
Are you expecting the Netscreen box to be a DNS proxy? (It doesn't do
that, but some of those other boxes you mention usually can be DNS proxys).
What device is being your DHCP server? What info is it handing out as
the DNS server? Something internal? Something external?
| |
| Mousemen 2006-12-01, 1:15 am |
| I was hopeing it would work like the other routers but more advanced
features.I think because I had it behind a router that did the dns for it it
worked before.Now its not behind a router that does that. The netscreen is
acting as a dhcp server right now.I Thought since it was acting as a dhcp
server and with the dns servers put in it would automatically work.As far as
the info it hands out its the ip address for the network clients
(192.168.1.x ) the netsceen is setup on 192.168.1.252 (untrust) and .254 for
the manage ip. Should I setup a server to hand out the ip instead and it do
the dns serving for the network or is there a way for the device to do that
but Im just not setting it. Thank you in advance for your help on this.
"Doug McIntyre" <merlyn@geeks.org> wrote in message
news:456f7f8f$0$41776$892e0abb@auth.newsreader.octanews.com...
> "Mousemen" <mousemen@you.com> writes:
>
>
> Are you expecting the Netscreen box to be a DNS proxy? (It doesn't do
> that, but some of those other boxes you mention usually can be DNS
> proxys).
>
> What device is being your DHCP server? What info is it handing out as
> the DNS server? Something internal? Something external?
>
| |
| Mousemen 2006-12-01, 1:15 am |
| Correction on the 192.168.1.252 (thats on the trust side) the untrust is set
to the static ip's from the isp with the gateway being the dsl modem.Though
the modem does not do dhcp or nat. just passthru
"Mousemen" <mousemen@you.com> wrote in message
news:pNydncuVvul6LPLYnZ2dnUVZ_vOdnZ2d@co
mcast.com...
>I was hopeing it would work like the other routers but more advanced
>features.I think because I had it behind a router that did the dns for it
>it worked before.Now its not behind a router that does that. The netscreen
>is acting as a dhcp server right now.I Thought since it was acting as a
>dhcp server and with the dns servers put in it would automatically work.As
>far as the info it hands out its the ip address for the network clients
>(192.168.1.x ) the netsceen is setup on 192.168.1.252 (untrust) and .254
>for the manage ip. Should I setup a server to hand out the ip instead and
>it do the dns serving for the network or is there a way for the device to
>do that but Im just not setting it. Thank you in advance for your help on
>this.
>
> "Doug McIntyre" <merlyn@geeks.org> wrote in message
> news:456f7f8f$0$41776$892e0abb@auth.newsreader.octanews.com...
>
>
|
|
|
|
|