Question

Juniper NetScreen 5GT VIP MIP configuration

Asked by: fl4ian

I have a brand new NetScreen 5GT that I am trying to configure and am looking for help.  I have never configured one of these before, though I know about other routers.

I am trying to accomplish two things:
1) open ports such as 3389 and forward them from my first public IP to server 1 on the LAN
2) open ports such as 3389 and forward them from my second public IP to server 2 on the LAN

I have tried a bunch of things with no success, although by some grace of a heavenward diety, I am able to send and receive mail, and use RWW (server 1 is an SBS 2003 box [server 2 is a w2k3 box]).

I am ineligble for direct product support, unless I pay $500/hr (what the rep quoted me), because I bought this router off of eBay instead of a licensed reseller.  Keep in mind that this was a sealed-new-in-box device.  Clearly, I had no idea about having to buy it from a reseller, or I wouldn't have gotten it (unless I knew how it already worked anyway, and didn't need support)...  but I digress.

Any help would be much appreciated.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-08-24 at 15:12:13ID22786142
Tags

netscreen

,

juniper

,

5gt

,

mip

Topics

Network Routers

,

Networking Hardware Firewalls

,

Enterprise Firewalls

Participating Experts
1
Points
500
Comments
32

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Netscreen firewall q
    I am very new to firewalls , what I want to do is to put afirewall between my app and database server to understand what ports need to be open for them to talk. I have a netscreen 5xt , does someone know how I can set this configuration up where both these servers are conne...
  2. Netscreen Question
    Hi, I have just started to manage some Netscreen 50 units at work that running screen os 5.0.0r8, then I have bought a used Netscreen 5xp unit home and try to do some hands-on and get familiar with the Netscreen and its features. The 5xp unit I have at home is running screen...
  3. HOW reset juniper password netscreen 25
    HOW reset juniper password netscreen 25 I hv backup conf file
  4. Screen OS for Juniper Netscreen NS25
    Hello, I was wondering if any one can help. We have a Juniper Netscreen NS25 which is 4 years old and is running Screen OS 5.0 I have tried to go about this the correct way and get a upgrade from Juniper by they say the product is end of life and I will have to upgrade to ...
  5. juniper - Netscreen NS5GT-issue
    i am having Juniper Netscreen NS5GT router. which stop working on yesterday but am able to login to the console when i check the log it shows Notif: The physical state of the interface trust has changed to up Alert:SCCP ALG enabled on the device Alert:SCCP ALG registered lin...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: rsivanandanPosted on 2007-08-24 at 21:33:56ID: 19766785

One of the good things is that, out of the box it would work because nat is enabled.

For a quick 10 minute lookup on how to configure things, take a look at my blog and download the pdf;

http://www.rsivanandan.com/?p=108

It has all the necessary config including MIP, VIP etc.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 18:01:17ID: 19772979

i've tried to follow your instructions, but was unable to configure it properly.  telnet was giving me "unknown keyword ..." multiple times.

can you type here exactly what i should type in a telnet session after logging into the NS 5GT?

I am trying to accomplish two things:
1) open ports such as 3389 and forward them from my first public IP to server 1 on the LAN
2) open ports such as 3389 and forward them from my second public IP to server 2 on the LAN

the most important port right now is 3389, so let's only do that one.  use 111.111.111.111 for the first public ip, and 111.111.111.222 for the second public ip.  use 192.168.16.1 for the server #1, and 192.168.16.2 for the server #2.

Like I said i'm new at netscreens, and need some hand holding; please type exactly what i should type.


 

by: fl4ianPosted on 2007-08-26 at 18:09:44ID: 19773003

when i typed:
set interface untrust mip 111.111.111.222 255.255.255.0 192.168.16.2 255.255.255.0 vrouter trust-vr

it said that 255.255.255.0... was an unknown keyword

when i asked for command help through telnet to the firewall, it didn't want a subnet - it said to put "actual host ip" there so i typed:
set interface untrust mip 111.111.111.222 192.168.16.2  .....

and it said that 192.168.16.2 was an unknown keyword...

and it said

 

by: fl4ianPosted on 2007-08-26 at 18:34:34ID: 19773122

ok. i think i got 3389 running on the secondary public IP and it successfully reaches server #2.  that was the creation of the MIP.

so, now there's the VIP left that i'm working on now...

 

by: fl4ianPosted on 2007-08-26 at 19:18:06ID: 19773333

cancel that last comment...  the 3389 is NOT successfully configured on the secondary public ip (supposed to be tied to the server #2).

 

by: rsivanandanPosted on 2007-08-26 at 19:34:06ID: 19773379

What version of SOS are you running ? The commands above are tested for 5.4, are you running 5.0 by any chance ?

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 19:40:17ID: 19773397

yes. i'm running 5.0.0r8.1.  with no chance of upgrade because of my unregistered status...

 

by: rsivanandanPosted on 2007-08-26 at 20:00:53ID: 19773505

Oops, commands are a little different in 5.0, so the syntax would be as this;

MIP:

set interface untrust mip 111.111.111.222  host 192.168.16.2  vrouter trust-vr
set interface untrust mip 111.111.111.111  host 192.168.16.1  vrouter trust-vr


set policy from untrust to trust any mip(111.111.111.222) RDP permit
set policy from untrust to trust any mip(111.111.111.111) RDP permit

Those are the exact commands. Now for service I have chosen 'RDP', find the exact name for the service and put it in there.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:05:19ID: 19773518

i created a service that i called RDP, and it's for TCP 3389 all the way around.  I'm assuming that i'm using that...  Now, i've seen around the web that after you set policies, then you have to telnet in again, and tell it to "set vip multi-port" and "reset" is this true??

i'm working on this right now.

 

by: fl4ianPosted on 2007-08-26 at 20:10:54ID: 19773535

it says
"one ip in range [111.111.111.222] is in use!!"
"mip: can't be added"
and then lists the failed command.

it also said this for the 111.111.111.111 ip.

how do i remove them?

 

by: rsivanandanPosted on 2007-08-26 at 20:12:10ID: 19773536

Do you have this ip address assigned on the untrust interface ? or is there other mip commands that you're tried before ?

If it it is the old command you tried before, do an 'unset mip...' command to remove off.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:16:55ID: 19773547

the 111.111.111.111 IS the untrust ip.

and i had created a MIP previously for the 111.111.111.222.

 

by: rsivanandanPosted on 2007-08-26 at 20:21:07ID: 19773558

Ok then you won't be able to create a MIP for that ip but you can create a VIP as below;

set interface untrust vip 111.111.111.111 3389 RDP 192.168.16.1

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:24:29ID: 19773566

i've just removed the vip with the unset command.  it would not let me unset MIP, it said bad command or something like that...

i'm trying again.

 

by: fl4ianPosted on 2007-08-26 at 20:29:09ID: 19773579

o.k.  it took this:
set interface untrust vip 111.111.111.111 3389 RDP 192.168.16.1

i've tried the MIP stuff for the secondary IP for the second lan server, but it still says the one ip in range is in use; mip can't be added error.  how do i remove the MIP?

 

by: rsivanandanPosted on 2007-08-26 at 20:29:37ID: 19773581

>>set interface untrust mip 111.111.111.222

Try the above.

Cheers,
Rajesh

 

by: rsivanandanPosted on 2007-08-26 at 20:30:45ID: 19773584

use 'unset interface untrust mip 111.111.111.222'

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:31:37ID: 19773586

and also, is there a "set policy" command for the VIP command that was just accepted?

and what about the "set vip multi-port" and "reset" is that necessary?

 

by: fl4ianPosted on 2007-08-26 at 20:34:22ID: 19773592

after:
unset interface untrust mip 111.111.111.222
it says:
Mip ip(111.111.111.222) host(192.168.16.2) is in use
Mip: can't be removed
Failed command - unset interface untrust mip 111.111.111.222

 

by: rsivanandanPosted on 2007-08-26 at 20:36:38ID: 19773597

Did you unset the policy as well ? That is where it is in use.

Cheers,
Rajesh

 

by: rsivanandanPosted on 2007-08-26 at 20:37:37ID: 19773601

fl4ian,

  Post all your comments in one post itself, don't split it.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:37:53ID: 19773602

no sir, i don't know how to do that either.

 

by: rsivanandanPosted on 2007-08-26 at 20:38:59ID: 19773606

Can you just do a 'get config' on the box and post it here, I'll modify it which you can just re-use.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 20:45:53ID: 19773626

Here's the "get config":
Remote Management Console
login: netscreen
password:
ns5gt-> get config
Total Config size 3431:
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Groove SSTP" protocol tcp src-port 2492-2492 dst-port 2492-2492
set service "PPTP VPN" protocol tcp src-port 1723-1723 dst-port 1723-1723
set service "RDP" protocol tcp src-port 3389-3389 dst-port 3389-3389
set service "RWW" protocol tcp src-port 4125-4125 dst-port 4125-4125
set service "Sharepoint" protocol tcp src-port 444-444 dst-port 444-444
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nKjlMtrKMD8PcOUKcsUD/8Bt6nLm0n"
set admin scs password disable username netscreen
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
--- more ---
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.16.254/24
set interface trust nat
set interface untrust ip 216.153.224.15/24
set interface untrust route
--- more ---
set interface untrust gateway 216.153.224.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust vip untrust 25 "MAIL" 192.168.16.1 manual
set interface untrust vip untrust 443 "HTTPS" 192.168.16.1 manual
set interface untrust vip untrust 123 "NTP" 192.168.16.1 manual
set interface untrust vip untrust 3389 "RDP" 192.168.16.1 manual
set interface untrust vip untrust 4125 "RWW" 192.168.16.1 manual
set interface untrust vip untrust 1723 "PPTP VPN" 192.168.16.1 manual
set interface untrust vip untrust 444 "Sharepoint" 192.168.16.1 manual
set interface "untrust" mip 216.153.224.16 host 192.168.16.2 netmask 255.255.255
.255 vrouter "trust-vr"
set flow tcp-mss
set hostname ns5gt
set dns host dns1 64.65.196.6
set dns host dns2 64.65.208.6
set address "Trust" "hickory" 192.168.16.2 255.255.255.0
set address "Trust" "Willow" 192.168.16.1 255.255.255.0
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
--- more ---
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/a
ctiveupdate/server.ini interval 60
set policy id 1 name "outgoing" from "Trust" to "Untrust"  "Any" "Any" "ANY" per
mit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "nist.gov.in"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
ns5gt->

 

by: rsivanandanPosted on 2007-08-26 at 21:02:11ID: 19773658

>>set service "RDP" protocol tcp src-port 3389-3389 dst-port 3389-3389

The above is incorrect, change it to as below;

set service "RDP" protocol tcp src-port 1024-65635 dst-port 3389-3389

Add the following;

set vip multi-port

set policy id 2 name "incoming" from untrust to trust any mip(216.153.224.16) RDP permit
save
reset

That would reset the box. Once it comes back up, try and see if you can RDP to 216.153.224.16, lets make that work first and then we'll come back to the second.

Cheers,
Rajesh



 

by: fl4ianPosted on 2007-08-26 at 21:18:18ID: 19773687

a) it wouldn't allow the high end of the source port to go that high; it wanted 65535 instead, so i put it there, it appears to have taken the change to the RDP.
b) after set vip multi-port it said"you must restart the device for the VIP changes to take effect.
c) i continued with : set policy id 2 name "incoming" from untrust to trust any mip(216.153.224.16) RDP permit, and it said: ### Zone Untrust->trust : following address(es) not defined: (dst mip(216.153.224.16)).
i  have saved and reset...

 

by: fl4ianPosted on 2007-08-26 at 21:36:31ID: 19773717

o.k.  the 216.153.224.16 RDP to 192.168.16.2 is working correctly, i've just verified it.

what about the 216.153.224.15 RDP to 192.168.16.1? I beleive i've successfully created a VIP by doing what you suggested earlier:
set interface untrust vip 111.111.111.111 3389 RDP 192.168.16.1

should i set some kind of policy for that?  or in other words, what is my next step?

 

by: rsivanandanPosted on 2007-08-26 at 21:59:47ID: 19773765

Okay, so far so good. Now, the vip is created and you need to create a policy to allow the vip connections which would be as below;

set policy id 2 name "incoming" from untrust to trust any vip::1 RDP permit
save

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 22:14:29ID: 19773801

slam dunk, brother.  that works now also.

would it be true to say that port forwarding for MIP goes like:
set service "RDP" protocol tcp src-port 1024-65635 dst-port 3389-3389
set vip multi-port
set policy id 2 name "incoming" from untrust to trust any mip(216.153.224.16) RDP permit
save
reset

and that port forwarding for VIP goes like:
set interface untrust vip 111.111.111.111 3389 RDP 192.168.16.1
set vip multi-port
set policy id 2 name "incoming" from untrust to trust any vip::1 RDP permit
save
reset

in other words, i can add additional port forwarding with different ports/services by using the same syntax, and subbing out IPs and service names and port numbers?  and should all source ports be the spread between 1024-65535, or how do i know when to use the spread vs just the port that it's coming in on, or should be coming in on?

 

by: rsivanandanPosted on 2007-08-26 at 22:24:57ID: 19773834

See the source port of any application or service will always be between 1024-65535, the listening end is the one where the application actually listens to.

So when we say ftp works on port 21, it is the listening port and so on for all other services.

You got it pretty much covered now :-)

Why ? => Look at the other services you have defined, both the source port and destination port are same and it would never work even if you wanted it to, you need to change the source port on those as well.

Cheers,
Rajesh

 

by: fl4ianPosted on 2007-08-26 at 22:30:21ID: 19773845

thank you very much rsivanandan!  you've been most helpful to me!  i know who to go to with the next netscreen question :)

thanks again, especially on a late sunday night.  really appreciate your effort.

 

by: rsivanandanPosted on 2007-08-26 at 22:33:10ID: 19773850

NP. Have fun.

Cheers,
Rajesh

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...