Netscreen 5GT in Extended Mode

You'll have to change the port mode mode top Extended. This will wipe out the config that is currently on it. But once that is done, you can do anything you want. However, you cannot specify what interfaces are in what zone, on the 5GT it is a preconfigured setup that can't be modified beyond the port mode.

Your diagram is a bit fubar, but is technically possible. You can put it in route mode, but the way you have it with an ADSL router might be painful. Is there a reason for having the Untrust zone using a

10.0.0.2 address?
Reply to
Munpe Q
Loading thread data ...

Hi All,

I'm a newbie to netscreen. I have a NETSCREEN 5GT AV/DI and I have it in Extended mode.

I have a an ADSL modem/router providing me with a fixed ip from my ISP I also have 8 IP's also allocated from my ISP which I am using at the moment.

What I would like to do is connect the 5GT to the adsl router/modem and have a DMZ that has my public IP Addresses.

A diagram of what I am trying to achieve is below. Is this possible?

internet | 62.x.x.x Static IP (ADSL ROUTER) 10.0.0.1 | | 10.0.0.2 (Untrusted eth3) (-------Netscreen----) | | DMZ Eth2 84.12.x..1 (public ip) 192.168.x.x (trusted eth1) | | dmz hosts internal network nat router 192.168.x.x

thanks in advance Rob

Reply to
rob

Perhaps you can try this.

Firstly backup the current config in case you need to go back to it.

Then, in the GUI, go to port mode and change it to extended port mode - the gui will show, depending on the ScreenOS version, the new ports as colour coded and the trusted 4 port switch will be split to a trusted and dmz. Also your current config will be reset so you'll have to readd it.

With the DMZ ports in their native route mode, you'll need to add a static route on the ADSL router such that 84.12.x.0/29 next hop is

10.0.0.2

Alternatively edit the properties of the untrust interface (under network interfaces) and create a mapped ip on the 10.0.0.? network for each of the 84.12.x.? servers. But adding the static route to the adsl router is better.

You'd then need to create policies to allow traffic from the untrusted to the dmz.

The second 192.168... router on the DMZ may not be needed as you can potentially pass traffic across through the netscreen.

mode which works by putting the same ip address on both adsl and ethernet sides. But you'd need another 62.x.x.x address to give to the untrust interface of the firewall which you don't have. So your

10.0.0.? does make sense > The reason I've got the 10.0.0.1 and 10.0.0.2 is the link between the NS5GT
|
Reply to
AM

The reason I've got the 10.0.0.1 and 10.0.0.2 is the link between the NS5GT and my ZOOM X5 ADSL modem/router. I've got a static IP on the dial up interface of the Zoom X5 which is different to my 8 Public IP addresses.

I assume that I can only use ip addresses from the 8 public IP's in the DMZ as it tells me to bogg off when I try and put one of those ip's on the untrust interface.

If you could be so kind as to suggest a better way of doing it I'm all ears. I'd really appreciate a bit of help on this as I've been banging my head on this for 3 days now. :(

internet | 62.x.x.x Static IP (ADSL ROUTER) 10.0.0.1 | | 10.0.0.2 (Untrusted eth3) (-------Netscreen----) | | DMZ Eth2 84.12.x..1 (public ip) 192.168.x.x (trusted eth1) | | dmz hosts internal network nat router

192.168.x.x

Reply to
rob

AM,

Thanks for the info.

I'll give that a try now.

I did already have my box in extended mode.

I take it that my untrust-vr has to have a default root 0.0.0.0/0 gw

10.0.0.1

What other routes should the untrust-vr have?

In fact what routes should I have for the trust and untrust virtual routers?

I did manage to get a conenction to the internet by by trusted network, but not the dmz last night, but i've had to put my network back to it's original settings to allow my users internet access today. I added a policy via the wizard for the trust-untrust zones.

Do I have to configure policies for each direction? eg TRUST-DMZ, DMZ-Trust, Trust-Untrust, Untrust-Trust, DMZ-Untrust & Untrust to DMZ ?

I have WEb servers in the DMZ and I also need port 25 access to a server in the trusted zone from the internet. Unless you know of a SMTP proxy software that I could place on a server in the DMZ.

TIA

Rob

Reply to
rob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.