1. Home
  2. Networking Firewalls
  3. Netscreen in Transparent Mode.

Netscreen in Transparent Mode.

Hi,

I'm trying to help a friend configure a Netscreen 50 in his small office lan. The way they want the setup to work :

Router ---- Netscreen 50 ----- Internal networks [transparent] 10.0.1.0/24 [l2 mode ] 10.0.12.0/24 10.0.10.0/24

The router is setup in transparent mode because no renumbering can take place :

Name IP Address Zone MAC VLAN State VSD eth1 0.0.0.0/0 Null 0010.dbff.2000 - D

0 eth2 0.0.0.0/0 V1-Trust 0010.db92.b385 - U

- eth3 0.0.0.0/0 V1-Untrust 0010.dbff.2060 - U

0 eth4 0.0.0.0/0 HA 0010.db92.b387 - U

- vlan1 10.0.12.70/24 VLAN 0010.dbff.20f0 1 U

0

Devices on the internal network on 10.0.12.0 can see the firewall, but devices on other subnets cannot (although they are on the same physical network.) The netscreen can only see devices on 10.0.12.0/24 :

=== juns01(M)-> ping 10.0.12.183 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 10.0.12.183, timeout is 2 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/2/4 ms juns01(M)-> ping 10.0.1.4 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 10.0.1.4, timeout is 2 seconds ...... Success Rate is 0 percent (0/5), ===

... despite the fact that they are on the same bit of wire. I can ping the management IP from both networks (both are setup to be able to in 'set admin manager-ip' and the V1-Trust zone and vlan1 both have 'ping' available as a management option).

What's wrong here, please? I have tried to setup the routing table to show that these subnets are on the same network (to no avail):

juns01(M)-> get route untrust-vr (0 entries)

-------------------------------------------------------------------------------- C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1 E2 - OSPF external type 2 trust-vr (4 entries)

-------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

  • 7 10.0.1.0/24 vlan1 0.0.0.0 S 20 1 Root
  • 2 10.0.0.0/8 vlan1 10.0.1.1 S 20 1 Root
  • 3 10.0.12.0/24 vlan1 0.0.0.0 C 0 0 Root
  • 8 10.0.10.0/24 vlan1 0.0.0.0 S 20 1 Root

In the cisco world, I would add the other subnets as 'secondary' addresses on these interfaces, but this does not seem to be an option.

Please help, BR AS

Reply to
alstamp
Loading thread data ...

The diagram is slightly confusing. Firstly the firewall's vlan1 interface has been given a /24 subnet so unless you specify a downstream gateway address on the 10.0.12.x network the netscreen will never be able to ping these addresses.

I.E Route number 2 states a gateway of 10.0.1.1 but the netscreen only understands 10.0.12.x/24 so it can never reach this gateway.

You could change the netmask on the firewalls vlan1 interface to /16 so it covers all 10.0.x.x networks.

Delete all the routes you added as they are incorrect.

Dave Sinclair

formatting link
Authorised Instructor

Reply to
Sintec

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.