bobbydall2000
asked on
Netscreen 5GT Port Forward
Hello All. I have recently been assigned the task of configuring a Netscreen 5GT for port forwaridng. We need to forward any external traffic on port 443 to an internal IP on 10.115.0.50. We do not have a static IP address. Just a cable modem connection. The screenOS is 4. I have never used a netscreen before and all documentation I have read is very confusing. I tried setting up a VIP but it doesn't work. When inside the network I can use HTTPS to that IP and it respond fine. Just not working on the outside in. I also tried the wizard to setup HTTP and HTTPS and that hasn't worked either. Help!! Port forwarding shouldn't be this hard?!?
Cheers
Mark
Cheers
Mark
jabiii
How are people connecting from outside the 10. network if you don't have a static IP?
ASKER
We give them the IP or in some cases Dynamic DNS.
Cheers
Mark
Cheers
Mark
You will probably want to use a VIP, which is basically a 1-many connection.
Check out this link, might help
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1905d48
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1905d48
Deffinition from a juniper (TM) pdf.
"Virtual IP Address: A VIP address maps traffic received at one IP address to another address based on the
destination port number in the packet header."
Do you have access to the documentation? like the concepts and examples?
"Virtual IP Address: A VIP address maps traffic received at one IP address to another address based on the
destination port number in the packet header."
Do you have access to the documentation? like the concepts and examples?
ASKER
As per my original post, I went through all the doc and even followed on online port forwarding example from Junipers site.
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421
No luck. It seems to stall when trying to access from the web. I even had one other tech review my work and we can't seem to find anything different than from the samples.
Cheers
Mark
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907421
No luck. It seems to stall when trying to access from the web. I even had one other tech review my work and we can't seem to find anything different than from the samples.
Cheers
Mark
Are you using the external interface of the NS? that can cause problems/not work.
Also, you might need to need to change your port # for web management, as that could be a conflict too
Matter of fact pretty sure you have to have 2 IP"s 1 for the VIP 1 for the external interface, unless you go through some config changes and only if your box supports it.
And your VIP is assigned on the untrust zone right?
I'm still looking for better info for ya but..
How to do a VIP:
http://ns5gt-support.netscreen.com/knowbase/root/public/ns2029.htm?
http://ns5gt-support.netscreen.com/knowbase/root/public/ns2028.htm?
https://www.experts-exchange.com/questions/21272761/Netscreen-50-cannot-get-MIP-or-VIP-to-work-with-an-obscure-port-configuration.html?query=Netscreen+MIP&clearTAFilter=true
I'm still looking for better info for ya but..
How to do a VIP:
http://ns5gt-support.netscreen.com/knowbase/root/public/ns2029.htm?
http://ns5gt-support.netscreen.com/knowbase/root/public/ns2028.htm?
https://www.experts-exchange.com/questions/21272761/Netscreen-50-cannot-get-MIP-or-VIP-to-work-with-an-obscure-port-configuration.html?query=Netscreen+MIP&clearTAFilter=true
Here's another good link, although it's for a higher version than your running.
https://www.experts-exchange.com/questions/21490046/Port-forwarding-on-a-Netscreen-5XP.html?query=Netscreen+MIP&clearTAFilter=true
https://www.experts-exchange.com/questions/21490046/Port-forwarding-on-a-Netscreen-5XP.html?query=Netscreen+MIP&clearTAFilter=true
tried
From the command line interface (CLI):
set vip multi-port [Enter]
save [Enter]
reset [Enter
From the command line interface (CLI):
set vip multi-port [Enter]
save [Enter]
reset [Enter
ASKER
Tried all those. My config looks right. It just does not work. VIP was created. Untrust to trust allowed. Still nothing. Even tried forwarding another port. Same issue. My setup looks the same as KB ns2029, just different IP's. No luck
Cheers
Mark
Cheers
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I have this figured out. There is another firewall in front of the Netscreen. I was informed that the netscreen connected direclty to the internet. It does not! I was tracking some cables and there is another firewall before the Netscreen. I will configure it next week to forward ports as well. Then this should work ok. If not I will continue this posting. If it works I will award the points as it was looking at the config file in telnet that led me to this conclusion.
Cheers
Mark
Cheers
Mark
Sweet. Let me know how it turns out bud. I'd turn on Logging on everything too until you get this squared up. Just so you can see the traffic on the NS and which policy (if) it is hitting.
ASKER
Hey there. Turns out my config on the netscreen was ok. We forwarded port 443 on the other firewall to the external untrusted port on the netscreen and everything fired up great. Thanks.
Cheers
Mark
Cheers
Mark
ASKER
Just for reference, when looking at the config to post it, i realized there were no routable address. So the netscreen could not have been on the outside of the network. There was another firewall at the network edge.
Cheers
Mark
Cheers
Mark
Nice catch Mark ;)
Tx for da points.
Jim
Tx for da points.
Jim