1. Home
  2. Networking Firewalls
  3. Routing on Netscreen 5XP

Routing on Netscreen 5XP

Hi,

I'm trying to setup a basic DMZ for 1 PC that we need on the network, but not on 'our' network, so to speak (it's another companies laptop, and we don't know if it has viruses/spyware etc).

We run an internal ip of 192.168.0.0/24, and we have an ADSL router modem, with 1 ethernet port on the back, (ip address 192.168.0.1), this is connected to our switch, and everyone in the office uses it as their default gateway to connect out through. Now I need to allow a PC, that we need to keep off our network, access to the internet.

The IP address of this PC is 10.0.0.10/8, I've connected it to the untrust port on a netscreen 5xp, and configured that port with the ip of 10.0.0.1. Then I've connected the netscreen trust port to the office switch, and added an ip address of 192.168.0.2. Now I need to be able to get the quarantined laptop to connect out through the netscreen, through the ADSL modem.

You can configure routing through the netscreen, but I'm unsure of the exact configuration, should the ports use NAT or routing? How do I configure the routing table?

Any help much appreciated

Ben

Reply to
Ben
Loading thread data ...

Pretty straightforward...(I changed the 10 'net from a /8 to a /24)

set interface trust ip 192.168.0.2/24 set interface untrust ip 10.0.0.1/24 set route 0.0.0.0/0 interface trust gateway 192.168.0.1 set policy id 7 from "Untrust" to "Trust" "10.0.0.10" "192.168.0.1/32" "ANY" nat src permit log

This allows 10.0.0.10 to go to your gateway. This is NATed to the source of the 5XP (192.168.0.2) so it'll route to the gateway. Note there is a default ANY/ANY rule from trust to untrust. You may want to disable this.

alan

Reply to
Alan Strassberg

Hi Alan,

Thanks for the reply, I will give it a try, and let you know how I get on!

Ben

Reply to
Ben

Hi Alan,

Gave that a try, and I can now ping the gateway at 192.168.0.1, however I can't get out onto the internet. I made the changes you said, i.e. set the trust IP to 192.168.0.2/24, untrust to 10.0.0.1/24, then added the route 0.0.0.0 to192.168.254.1, and set the policy (although its id 12, would this matter?) from untrust to trust, 10.0.0.0/24 to 192.168.254.1/32, ANY, NAT source, and log!

Any ideas why I can't reach the internet?

Ben

Reply to
Ben

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.