Hi Folks!
I have a netscreen 25 (Inknow its old, but it does the job) and I would like to do DMZ routing.
The boxes in the DMZ need to have public routed IP-s (NO MIP,VIP solutions please) due to a VOIP config that only allows one NAT hop and the users need that for their home:)
I have an IP subnet of /28 which I have divided into two 29/s and the upper part of the /29 is in the DMZ. I also asked the ISP to divide the subnet into two in the upstream T1, that they manage and route the 40/29 subnet trough gateway 207.x.y.35 (Which as you can see is my public IP for the NS25 untrusted eth2).
Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD eth1 192.168.100.253/24 Trust 0010.db90.9650 - U - eth2 207.x.y.35/29 Untrust 0010.db90.9655 - U - eth4 207.x.y.239.41/29 DMZ 0010.db90.9657 - U -
Note eth2 and eth4.
The NAT boxes from my eth1 can talk to the guys in the DMZ zone, but I cannot get traffic coming from eth2 outside world to reach my box with the IP of 207.x.y.42 or 43. The netscreen itself (207.x.y.41) responds to the ping from outside for the IP of 41 but nothing else from that subnet.
What am I missing?
Heres the relevant part of my routing table on NS25 CPM-MDFW-02-> get route C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP untrust-vr (1 entries)
-------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
- 3 207.x.y.40/29 eth4 0.0.0.0 S 20
-------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
- 25 0.0.0.0/0 eth2 207.x.y.33 S 20
- 30 207.x.y.40/29 eth4 0.0.0.0 C 0
- 33 207.x.y.32/29 eth2 0.0.0.0 C 0
All is working except that no traffic reaches the 40/29 subnet (the boxes in there anyways) from the outside world)
Policies should be fine - for now I allow all traffic from anywhere to DMZ and vice-versa.
Heres a snippet of traceroute to that IP. Strange that the 41 goes trough but not 35(public direct IP) or 42 which actually is on the same subnet as 41.
ml@tobias:~>traceroute 207.x.y.41 .......
14 ge-0-0-0.core1.clmamdjt.uslec.net (169.130.80.77) 28.492 ms 39.970 ms 26.589 ms 15 so-0-3-0.core2.tycrva03.uslec.net (169.130.81.210) 31.253 ms 28.950 ms 39.919 ms 16 207.x.y.41 (207.x.y.41) 81.317 ms 41.475 ms 34.498 ms ....... ALL OK HEREml@tobias:~>traceroute 207.x.y.35
14 ge-0-0-0.core1.clmamdjt.uslec.net (169.130.80.77) 28.682 ms 27.053 ms 58.896 ms 15 so-0-3-0.core2.tycrva03.uslec.net (169.130.81.210) 27.885 ms 29.728 ms 27.960 ms 16 * * * 17 * * * 18 * * * ........................Why the timeout? ml@tobias:~$ ping 207.59.239.35 PING 207.x.y.35 (207.x.y.35) 56(84) bytes of data. 64 bytes from 207.x.y.35: icmp_seq=1 ttl=46 time=36.1 ms 64 bytes from 207.x.y.35: icmp_seq=2 ttl=46 time=76.4 msI get the same Ping for 41
Could you folks be so kind and if anybody has a clue to drop me an email.
Much appreciated.
Lorand.