July 25, 2008 11:17am pdt

1. batry_boy 256,950
2. lrmoore 116,125
3. dpk_wal 89,477
4. Cyclops3... 43,826
5. RobWill 43,361
6. harbor235 41,648
7. Voltz-dk 39,350
8. rsivanandan 38,775
9. JFrederic... 34,000
9. MrHusy 34,000
11. naughton 32,880
12. from_exp 27,885
13. stuknhaw... 21,000
14. arnold 20,476
15. mkielar 20,100

1. lrmoore 1,071,997
2. batry_boy 448,179
3. RobWill 366,860
4. rsivanandan 239,794
5. dpk_wal 152,477
6. JFrederic... 121,919
7. grblades 118,615
8. harbor235 114,764
9. pseudocy... 90,643
10. Cyclops3... 88,854
11. nodisco 85,522
12. calvinetter 76,413
13. PeteLong 73,331
14. Freya28 67,550
15. giltjr 67,195

05.11.2008 at 02:13PM PDT, ID: 23393093

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.4

Troubles with Netscreen MIP

Zones: Networking Hardware Firewalls, Network Routers, Miscellaneous Networking

Tags: Netscreen, Netscreen, 5XP

I have netscreen 5XP running screenOS 5.0.0r3.0 and a PPPoE DSL connection with 16 static IPs. The first IP in the block is mapped to the untrust interface of the netscreen. I have a few services on trusted LAN port mapped using a few VIP entires - and that works OK. Now I am trying to set a 1:1 NAT using a MIP on another IP in the available block. When I add the MIP and an inbound policy say for HTTP - from the outside it appears to be reachable - but the machine on the MIP can no longer access the Internet.

Here is the config from the netscreen device - any ideas? It should just work..

unset hardware wdt-reset
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "http_atriumphysio" protocol tcp src-port 0-65535 dst-port 82-82
set service "http_sps" protocol tcp src-port 0-65535 dst-port 81-81
set service "SharepointSSL" protocol tcp src-port 0-65535 dst-port 444-444
set service "Terminal Services" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "VNClistener" protocol tcp src-port 0-65535 dst-port 5500-5500
set service "SMTP" protocol tcp src-port 0-65535 dst-port 25-25
set service "VNC" protocol tcp src-port 5900-5901 dst-port 5900-5901
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Local" timeout 30
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set admin name "Admin"
set admin password ""
set admin scs password disable username Admin
set admin mail alert
set admin mail server-name "10.10.123.23"
set admin mail mail-addr1 "ed@kalins.com"
set admin auth timeout 120
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen syn-fin
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen ip-sweep threshold 2500
set zone "Untrust" screen port-scan threshold 2500
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.10.123.1/24
set interface trust nat
set interface untrust ip 76.74.132.81/28
set interface untrust route
set interface untrust gateway 72.51.10.254
set interface trust mtu 1100
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust vip untrust 81 "http_sps" 10.10.123.23 manual
set interface untrust vip untrust 5500 "VNClistener" 10.10.123.23 manual
set interface untrust vip untrust 25 "MAIL" 10.10.123.23 manual
set interface untrust vip untrust 143 "IMAP" 10.10.123.23 manual
set interface untrust vip untrust 21 "FTP" 10.10.123.109 manual
set interface untrust vip untrust 82 "http_atriumphysio" 10.10.123.23 manual
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option lease 1440000
set interface trust dhcp server option gateway 10.10.123.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname kalins.com
set interface trust dhcp server option dns1 72.51.10.7
set interface trust dhcp server option dns2 72.51.10.8
set interface trust dhcp server option smtp 10.10.123.23
set interface trust dhcp server option wins1 10.10.123.23
set interface trust dhcp server ip 10.10.123.100 to 10.10.123.199
set interface "untrust" mip 76.74.132.84 host 10.10.123.124 netmask 255.255.255.255 vrouter "trust-vr"
set interface "untrust" mip 76.74.132.83 host 10.10.123.109 netmask 255.255.255.255 vrouter "trust-vr"
set interface "untrust" mip 76.74.132.87 host 10.10.123.116 netmask 255.255.255.255 vrouter "trust-vr"
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain kalins.com
set hostname KDS5XP
set dns host dns1 72.51.10.7
set dns host dns2 72.51.10.8
set dns host schedule 06:28
set address "Trust" "10.10.123.0/24" 10.10.123.0 255.255.255.0
set address "Trust" "KDS/10.10.123.0/24" 10.10.123.0 255.255.255.0 "Leamington trusted subnet"
set address "Trust" "Netfinity/10.10.123.23/32" 10.10.123.23 255.255.255.255 "Netfinity server primary IP"
set address "Trust" "P4/10.10.123.110/32" 10.10.123.110 255.255.255.255 "KDS P4 workstation"
set address "Untrust" "213.180.210.35/32" 213.180.210.35 255.255.255.255
set address "Untrust" "70.55.15.192/32" 70.55.15.192 255.255.255.255
set address "Untrust" "72.51.10.0/24" 72.51.10.0 255.255.255.0
set address "Untrust" "72.51.10.1/32" 72.51.10.1 255.255.255.255
set address "Untrust" "74.12.85.247/32" 74.12.85.247 255.255.255.255
set address "Untrust" "74.14.36.185/32" 74.14.36.185 255.255.255.255
set address "Untrust" "AtriumFlorida/10.10.127.1" 10.10.127.1 255.255.255.255
set address "Untrust" "AtriumPhysio" 10.10.125.1 255.255.255.255 "Atrium Physio on Bay"
set address "Untrust" "AtriumReception" 10.10.125.2 255.255.255.255 "Atrium reception desk computer"
set address "Untrust" "BPLLP/192.168.0.0/24" 192.168.0.0 255.255.255.0
set address "Untrust" "CD174/10.10.121.174/32" 10.10.121.174 255.255.255.255 "SKD Laptop"
set address "Untrust" "CottageSubnet/10.10.122.0" 10.10.122.0 255.255.255.0 "Cottage VPN subnet"
set address "Untrust" "ecwhiteLan/10.10.10.0/24" 10.10.10.0 255.255.255.0
set address "Untrust" "ecwhiteWlan/10.10.11.0/24" 10.10.11.0 255.255.255.0 "Ted's wireless LAN"
set address "Untrust" "IngridaBulmane/10.10.124.2" 10.10.124.2 255.255.255.255 "Ingrida Bulmane Majas PC"
set address "Untrust" "kdsm700/10.10.121.106/32" 10.10.121.106 255.255.255.255
set address "Untrust" "LiGa_Gaide/10.10.124.6" 10.10.124.6 255.255.255.255 "Liga Gaide's home PC"
set address "Untrust" "Lorbergs/10.10.124.3" 10.10.124.3 255.255.255.255 "IBM Aptiva"
set address "Untrust" "RutaJanson" 10.10.125.3 255.255.255.255
set user "CD174" uid 6
set user "CD174" ike-id u-fqdn "CD174@kalins" share-limit 1
set user "CD174" type ike
set user "CD174" "enable"
set user "Cottage" uid 2
set user "Cottage" ike-id u-fqdn "cottage@kalins" share-limit 1
set user "Cottage" type ike
set user "Cottage" "enable"
set user "KDSm700" uid 4
set user "KDSm700" ike-id u-fqdn "kdsm700@kalins" share-limit 1
set user "KDSm700" type ike
set user "KDSm700" "enable"
set user "Pismo" uid 3
set user "Pismo" ike-id u-fqdn "pismo@kalins" share-limit 1
set user "Pismo" type ike
set user "Pismo" "enable"
set ike gateway "M700P3_GW" address 0.0.0.0 id "kdsm700@kalins" Aggr outgoing-interface "untrust" preshare "/1J4Lq5jNLSfZ8sItiCR9bu8lvnj4UC8lw==" proposal "pre-g2-aes128-sha"
set ike gateway "M700P3_GW" cert peer-cert-type x509-sig
unset ike gateway "M700P3_GW" nat-traversal
set ike gateway "Atrium_GW" address 0.0.0.0 id "ruta@atriumphysio.ca" Aggr outgoing-interface "untrust" preshare "xk3uwqxgNmNDqhsYjMChLZ3v+1nnL1M3dg==" proposal "pre-g2-des-md5"
set ike gateway "Atrium_GW" cert peer-cert-type x509-sig
unset ike gateway "Atrium_GW" nat-traversal
set ike gateway "IngridaBulmane_GW" address 0.0.0.0 id "ibulmanis@sympatico.ca" Aggr outgoing-interface "untrust" preshare "8n9K155UNnwDYTsDtCCFt3yQ1BnJVZulsQ==" proposal "pre-g2-des-md5"
set ike gateway "IngridaBulmane_GW" cert peer-cert-type x509-sig
unset ike gateway "IngridaBulmane_GW" nat-traversal
set ike gateway "AtriumReception_GW" address 0.0.0.0 id "reception@atriumphysio.ca" Aggr outgoing-interface "untrust" preshare "xk3uwqxgNmNDqhsYjMChLZ3v+1nnL1M3dg==" proposal "pre-g2-des-md5"
set ike gateway "AtriumReception_GW" cert peer-cert-type x509-sig
unset ike gateway "AtriumReception_GW" nat-traversal
set ike gateway "Lorbergs_GW" address 0.0.0.0 id "lorbergs@kalins.com" Aggr outgoing-interface "untrust" preshare "4WnYk9BZNZsMoosWOdCZy3bGNgn1TxzAPQ==" proposal "pre-g2-des-md5"
set ike gateway "Lorbergs_GW" cert peer-cert-type x509-sig
set ike gateway "Lorbergs_GW" nat-traversal udp-checksum
set ike gateway "Lorbergs_GW" nat-traversal keepalive-frequency 5
set ike gateway "RutaJanon_GW" address 0.0.0.0 id "ruta@kalins.local" Aggr outgoing-interface "untrust" preshare "I2Kvq/cANkaY4fsmJHCtciKdvunygkaAFQ==" proposal "pre-g2-3des-sha"
set ike gateway "RutaJanon_GW" cert peer-cert-type x509-sig
unset ike gateway "RutaJanon_GW" nat-traversal
set ike gateway "MAC_GW" dialup "Pismo" Aggr outgoing-interface "untrust" preshare "x2PaiYPRNlxpPdsrL8CTvL9wicnvYHO+AA==" proposal "pre-g2-3des-md5"
set ike gateway "MAC_GW" cert peer-cert-type x509-sig
unset ike gateway "MAC_GW" nat-traversal
set ike gateway "Liga_gaide" address 0.0.0.0 id "ligagaide@sympatico.ca" Aggr outgoing-interface "untrust" preshare "4XJEYeSyNwa1TIsBmBCphmyHdInFYgyNig==" proposal "pre-g1-des-md5"
set ike gateway "Liga_gaide" cert peer-cert-type pkcs7
unset ike gateway "Liga_gaide" nat-traversal
set ike gateway "Cottage_GW" dialup "Cottage" Aggr outgoing-interface "untrust" preshare "kZiXKyNONOciSdsoJ2CDCdEunIntUft4ew==" proposal "pre-g1-des-md5"
set ike gateway "Cottage_GW" cert peer-cert-type pkcs7
set ike gateway "Cottage_GW" cert peer-ca all
unset ike gateway "Cottage_GW" nat-traversal
set ike gateway "CD174_GW" address 0.0.0.0 id "CD174@kalins" Aggr outgoing-interface "untrust" preshare "G5tEYa0ENMtLTKs8A8ChEuZ1lDncUJyEcA==" proposal "pre-g2-3des-md5"
set ike gateway "CD174_GW" cert peer-cert-type pkcs7
set ike gateway "CD174_GW" cert peer-ca all
unset ike gateway "CD174_GW" nat-traversal udp-checksum
set ike gateway "CD174_GW" nat-traversal keepalive-frequency 0
set ike gateway "ECWHITE_GW" address 76.74.132.65 Aggr outgoing-interface "untrust" preshare "LYx4+gTdNcplwHs9TICjSmRC7gniniSDyw==" proposal "pre-g2-aes128-md5"
set ike gateway "ECWHITE_GW" cert peer-cert-type pkcs7
set ike gateway "ECWHITE_GW" cert peer-ca all
set ike gateway "Ruta_florida" address 72.91.56.122 Aggr outgoing-interface "untrust" preshare "cUi295XuND4c5Gs0PMCcY9YNIVnvcTvddw==" proposal "pre-g2-3des-sha"
set ike gateway "Ruta_florida" cert peer-cert-type x509-sig
set ike gateway "Ruta_florida" cert peer-ca all
set ike respond-bad-spi 1
set ike gateway "M700P3_GW" heartbeat hello 5
set ike gateway "Atrium_GW" heartbeat hello 5
set ike gateway "Liga_gaide" heartbeat hello 60
set ike gateway "Liga_gaide" heartbeat threshold 2
set ike gateway "Liga_gaide" heartbeat reconnect 60
set vpn "AtriumPhysio_IKE" gateway "Atrium_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "AtriumPhysio_IKE" bind zone Untrust-Tun
set vpn "M700P3_IKE" gateway "M700P3_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-aes128-sha"
set vpn "M700P3_IKE" bind zone Untrust-Tun
set vpn "IngridaBulmane_IKE" gateway "IngridaBulmane_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "IngridaBulmane_IKE" bind zone Untrust-Tun
set vpn "AtriumReception_IKE" gateway "AtriumReception_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "AtriumReception_IKE" bind zone Untrust-Tun
set vpn "RutaJanson_IKE" gateway "RutaJanon_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "RutaJanson_IKE" bind zone Untrust-Tun
set vpn "LigaGaide_IKE" gateway "Liga_gaide" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "CD174_IKE" gateway "CD174_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "ecwhite_IKE" gateway "ECWHITE_GW" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "Ruta_florida_IKE" gateway "Ruta_florida" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 83 name "Video DVR inbound" from "Untrust" to "Trust" "Any" "MIP(76.74.132.84)" "ANY" permit log
set policy id 82 from "Untrust" to "Trust" "Any" "MIP(76.74.132.87)" "ANY" permit log
set policy id 60 name "VNC listener" from "Untrust" to "Trust" "Any" "VIP::1" "hotsync" permit log count
set policy id 60
set service "Terminal Services"
set service "VNC"
set service "VNClistener"
exit
set policy id 54 name "Netfinity 194" from "Untrust" to "Trust" "Any" "VIP::1" "FTP" permit log count
set policy id 54
set service "HTTP"
set service "http_atriumphysio"
set service "http_sps"
set service "HTTPS"
set service "ICMP-ANY"
set service "IMAP"
set service "SMTP"
exit
set policy id 76 name "ruta_florida" from "Trust" to "Untrust" "KDS/10.10.123.0/24" "AtriumFlorida/10.10.127.1" "ANY" tunnel vpn "Ruta_florida_IKE" id 38 pair-policy 75 log
set policy id 75 name "ruta_florida" from "Untrust" to "Trust" "AtriumFlorida/10.10.127.1" "KDS/10.10.123.0/24" "ANY" tunnel vpn "Ruta_florida_IKE" id 38 pair-policy 76 log
set policy id 70 name "ecwhite_VPN2" from "Trust" to "Untrust" "10.10.123.0/24" "ecwhiteWlan/10.10.11.0/24" "ANY" tunnel vpn "ecwhite_IKE" id 34 pair-policy 69 log
set policy id 69 name "ecwhite_VPN2" from "Untrust" to "Trust" "ecwhiteWlan/10.10.11.0/24" "10.10.123.0/24" "ANY" tunnel vpn "ecwhite_IKE" id 34 pair-policy 70 log
set policy id 68 name "ecwhite_VPN" from "Untrust" to "Trust" "ecwhiteLan/10.10.10.0/24" "10.10.123.0/24" "ANY" tunnel vpn "ecwhite_IKE" id 33 pair-policy 67 log
set policy id 67 name "ecwhite_VPN" from "Trust" to "Untrust" "10.10.123.0/24" "ecwhiteLan/10.10.10.0/24" "ANY" tunnel vpn "ecwhite_IKE" id 33 pair-policy 68 log
set policy id 66 name "CD174_VPN" from "Trust" to "Untrust" "Netfinity/10.10.123.23/32" "CD174/10.10.121.174/32" "ANY" tunnel vpn "CD174_IKE" id 35 pair-policy 65 log traffic gbw 0 priority 0
set policy id 65 name "CD174_VPN" from "Untrust" to "Trust" "CD174/10.10.121.174/32" "Netfinity/10.10.123.23/32" "ANY" tunnel vpn "CD174_IKE" id 35 pair-policy 66 log traffic gbw 0 priority 0
set policy id 59 name "kds m799" from "Trust" to "Untrust" "10.10.123.0/24" "kdsm700/10.10.121.106/32" "ANY" tunnel vpn "M700P3_IKE" id 27 pair-policy 58 log
set policy id 58 name "kds m799" from "Untrust" to "Trust" "kdsm700/10.10.121.106/32" "10.10.123.0/24" "ANY" tunnel vpn "M700P3_IKE" id 27 pair-policy 59 log
set policy id 46 name "Liga_Gaide" from "Trust" to "Untrust" "KDS/10.10.123.0/24" "LiGa_Gaide/10.10.124.6" "ANY" tunnel vpn "LigaGaide_IKE" id 26 pair-policy 45 log count
set policy id 14 from "Trust" to "Untrust" "KDS/10.10.123.0/24" "IngridaBulmane/10.10.124.2" "ANY" tunnel vpn "IngridaBulmane_IKE" id 10 pair-policy 15 log count
set policy id 3 from "Trust" to "Untrust" "KDS/10.10.123.0/24" "AtriumPhysio" "ANY" tunnel vpn "AtriumPhysio_IKE" id 4 pair-policy 4 log count
set policy id 20 name "AtriumReception_VPN" from "Trust" to "Untrust" "KDS/10.10.123.0/24" "AtriumReception" "ANY" tunnel vpn "AtriumReception_IKE" id 14 pair-policy 19 log count
set policy id 4 from "Untrust" to "Trust" "AtriumPhysio" "KDS/10.10.123.0/24" "ANY" tunnel vpn "AtriumPhysio_IKE" id 4 pair-policy 3 log count
set policy id 19 name "AtriumReception_VPN" from "Untrust" to "Trust" "AtriumReception" "KDS/10.10.123.0/24" "ANY" tunnel vpn "AtriumReception_IKE" id 14 pair-policy 20 log count
set policy id 15 from "Untrust" to "Trust" "IngridaBulmane/10.10.124.2" "KDS/10.10.123.0/24" "ANY" tunnel vpn "IngridaBulmane_IKE" id 10 pair-policy 14 log count
set policy id 45 name "Liga_Gaide" from "Untrust" to "Trust" "LiGa_Gaide/10.10.124.6" "KDS/10.10.123.0/24" "ANY" tunnel vpn "LigaGaide_IKE" id 26 pair-policy 46 log count
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log count
set policy id 56 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log count alarm 100 0
set pppoe name "scom2"
unset pppoe name "scom2" auth CHAP
set pppoe name "scom2" username "edkalins@scom.ca" password "ftBCgIiINx6f9usoBiCUt3pPc5nn46AQVw=="
set pppoe name "scom2" idle 0
set pppoe name "scom2" static-ip
set pppoe name "scom2" interface untrust
set pppoe name "scom2" ppp lcp-echo-retries 20
set pppoe name "scom2" ppp lcp-echo-timeout 1000
set pppoe name "scom2" auto-connect 20
unset log module system level alert destination email
unset log module system level notification destination email
set ssh version v2
set config lock timeout 5
set ntp server "10.10.123.23"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 240
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Start your free trial to view this solution

Question Stats

Zone: Computer Hardware

Question Asked By: sveiks23

Solution Provided By: iw0k

Participating Experts: 1

Solution Grade: B

Translate:

Loading Advertisement...

20080236-EE-VQP-29 / EE_QW_2_20070628