Netscreen 5gt - how to create a DMZ?

Posted on 2006-06-06
Last Modified: 2008-01-09
I have a Netscreen 5gt (not 5gt plus)
I have 2 servers. 1 webserver and 1 SQL server

I want to put the webserver in a DMZ with an network address in
I want to put the SQL server in another Trusted Zone with a network address in with the rest of my LAN
The webserver needs to be able to talk to the SQL server to retrieve SQL data.

How do I do that?
Can I take 2 ports and bind them to 1 virtual Interface? (like port 1-2 = DMZ and port 3-4 = LAN =

I've tried the Work/Home Zone setup but you cant' create or edit the 'From Home To Work' policy to allow any type of communication from the 'Home' zone to the 'Work' zone. When I try to add or clone that policy and use the 'permit' setting it just throws an error saying that it cant understand.

Can I just set the firewall up as 'Trust/Untrust and then create zones using the Trust ports to create a DMZ somehow?
Would that be any different or less secure than the 'Work/Home' zone setup? (is there any filtering going on in the home/work port mode that wouldn't be going on if I created my own zones somehow?)

Question by:Matrix1000
    LVL 9

    Accepted Solution

    you can set it up in dual untrust mode,where you have 1 trusted zone, and 2 untrusted zones.
     and have your normal trust-untrust relationship, and untrust to untrust will be considered an intra zone policy when created.
    you can use your normal trust-untrust policies, and the NS will know which to send it to based on your routing.

    in the combined mode, where you have a work eth1, home eth2  and 3, and 2 untrusted interfaces eth4 and untrust
    and again yo ucan create policies between any of them. they do by default

    work/home gives you untrust=untrust int, home ports 3&4, work 1&2
    and you should be able to create polices between any of them work-home, work-untrust, home untrust, home work. they do by default

    I just tested them all and worked fine. what errors are you getting?
    LVL 1

    Author Comment

    When I try to add a 'policy' to allow ANY (or SQL) traffic Home > Work it says that type of policy is not allowed. (probably because of netscreens pre-programed Work>Home security policy)

    When I try to create a Mapped IP

    Mapped IP:
    Host IP Address:
    Host Virtual Router Name: trust-vr

    I get an error

    one ip in range ( - is used by interface ethernet2!
    Mip: cant be added

    So what would be the best way to do this?....

    I thought I would have to do something like this but I'm not sure if I've got the right answer in mind.

    1 Wan Port that connects to the internet.... ( untrust  66.45.xx.xx/24)
    1 or 2 DMZ ports for my webserver (eth1
    2 Trusted ports for my SQL server and the rest of my office LAN ( eth2

    A policy that allows SQL traffic to pass from > and visa-versa.

    A VPN connection that allows me to vpn into the netscreen 5gt and access either network so I can administer the servers :P

    How would you do it to accomplish this task?
    LVL 9

    Expert Comment

    can you post a sanitied version of your current config? I will see what I can come up with for you.

    (ip's changed etc) like untrust = trust dmz etc

    and you have it in what mode now?

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    The DSL Parameters part of this article is valid and can be considered with any brand of internet router and modem (Dlink, 3com, Alcatel, Usrobotics, Parks), by accessing the configuration interface available by the manufacturer eg: …
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now