Netscreen 100 + Zyxel Zywall 10

The Netscreen 100 is EOL and the last ScreenOS was 4.x. This doc should help getting things setup.

After talking further with the friend, they have no idea what version of ScreenOS its running, nor do they know what the password is.

It was pulled from a location after being in use for an extended period.

I've had a hunt round on Google, and it seems that only certain versions of ScreenOS will allow you to do a password reset.

Is there anyway (externally) of finding out what version of ScreenOS this particular device would have been supplied with?

If I can get my hands on a newer ScreenOS version that does support the password reset, can I load it onto the model and regain control?

Thanks,

Vinnie

Alan Strassberg wrote:

They all support password reset

AMR schrieb:

Nope. Some of the very early models had to be shipped back to be reset. ScreenOs 2.xish, IIRC

Cheers, Jens

And what do you think they did to them to reset the password when they got their hands on it?

I do not know, and I don't care much. (Probably remove or add a wirebridge)

We told our distributor back then, that the planned product, centering around the netscreen, would be launched, when they had replaced the procedure with somthing field maintainable. Eventually the did, and we launched our product late.

Anway, back to the thread: Buying an old netscreen is not very advisable for productive use, it is probably educational or fun ;)

Cheers, Jens

For fun and learning use at home.

Anything (even old) has got to be better than the one on my DSL Router which only supports opening upto 10 port ranges - this doesn't work in a flatting environment.

Actually, all the consumer grade DSL routers I've had anything to do with (through personal experience and the ones we have at remote offices for work) only allow up to 10. Its rather odd that no one seems to offer more until you're paying large amounts of money :(

Vinnie

Hi,

Vinnie schrieb:

That's ok ;)

Yeah, probably, but you have to get the traffic to the netscreen unharmed. The old boxes / ScreensOSes don't have a pppoe client AFAIK.

I'd google a bit to find an answer to that question ;)

Cheers, Jens

Huh? I thought it was just a LAN connection from your connecting device direct to the untrusted port on the Netscreen.

I was just going to put my router into 'Modem' mode (where it doesn't use its inbuilt firewall and just lets all traffic through), connect it to the untrusted port on the Netscreen and set it up to do all the firewall policies.

Vinnie

It is.

You do not have an authentication on our internet line? Then it'll work fine. (Thought you mentioned ADSL, here you have to authenticate with pppoe, when using ADSL, in .at it's pppoa, IIRC).

Cheers, Jens

Sorry, yes we do have authentication on the line. It uses pppoa here.

I just assumed that because of the LAN connection being an untrusted RJ45 connection, it would connect to whatever network appliance you use to connect to the internet (in my case a Netgear DG632 ADSL Router, but I thought it could be connected to potentially anything).

If I let the Netgear ADSL router handle the internet authentication and connection, and just put it into 'dumb mode' where it will let all traffic pass from its internal connection directly to the untrusted port on the Netscreen, can I just put the Netscreen into a mode where it will accept this traffic and deal with it? Or am I mistaking how things work with the Netscreen, and it in itself has to be connected directly to the wall and neogatiate the connection itself?

Vinnie

Or am I mistaking how things work with the

No, but I do not understand the addressing in our network.

The netscreen can run in different modes: a) as a router (with or without NAT) or as bridge.

Now, taking a look at your setup and the ip addressess:

--------- ---------

--a-| DG632 |-b--c-| ns100 |-d-- LAN --------- ---------

So, what do you want to do here?

Cheers, Jens

Basically the setup that is there, is what I want. It gets rather complicated after that, as currently I have a PC acting as a server and router between three other networks.

-f--g- 192.168.1.0 (GigE network) / ---------- /

-d--e-| server |-----h--i- 192.168.2.0 (wireless) ---------- \\ \\ -j--k- 192.168.192.0 (main wired network)

Network on the internal network side to the server (currently) is 10.1.1.0

Vinnie

None there yet ;)) What are the addresses: a, b, c, and d?

The setup behind the firewall is rather straight forward, once you have decided on this one.

Usually I would expect (a) to be a public dynamic ip natted to (b). (b) and (c) forming a tranfer network. the netscreen natting again to (d) With (b) and (c) private and (d) private and from a different subnet.

Now, when the modem alread does NAT, how does the modem does correct port forwarding? That was the problem you originally wantd to solve, right?

So, you should use the DG632 as a router and get (b) and (c) as a public network from your provider routed over (a).

Then you have full control on the netscreen over what you wanted to do.

Do I have a fundamental misunderstanding here?

Cheers, Jens

nope, it's pptp in .at