Solved

Netscreen 5XP - Setup help needed! NAT and route. outgoing working incoming not

Posted on 2006-07-10
57
7,102 Views
Last Modified: 2012-06-21
i get a deny policy on source=null dst=self. no traffic will hit the untrust interface.

Used the web config to setup and has screenOS 5.0

Anyone that has netscreen expertise should be able to help, i;m sure it;s an incoming route or some stupid thing i have yet to do.
0
Comment
Question by:norgan
  • 24
  • 20
  • 13
57 Comments
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Well, if your using NAT, that is a one way connection, and you will not be able to access it inbound. You need to look at MIP or VIP. if you need inbound connections.

Otherwise trying to connect to the NAT address you are trying to connect to the NS it'self....
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Reference this, tells you which does what and how to do them.
http://www.experts-exchange.com/Security/Firewalls/Q_21747258.html
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
not very helpfull mate.

my problem is that i have static ip, in fact an adsl modem with dmz to the netscreen. modem is getting external ip's and dmz to 10.1.1.2 (the netscreen ip). on the netscreen i see source as net ip and dst as 10.1.1.2 but it gets denied and shows source as null and dst as self.
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
perhaps a reccomened setup to allow a dsl2+ modem to be firewalled and port forwarded through a netscreen into 3 seperate servers running net services.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Ok, so you have the following?
ISP <> DSL <> Internal Network
ISP <> DSL <> Netscreen in DMZ

And your DSL has the 1 static IP. your NS has a DMZ address of 10.1.1.2. How are connections coming from the net to the NS? What IP are they using? Same Q from internal.

Is there a policy allowing the traffic?

Can you give me a little more details ?

I'm sure we can get you up and running. :)

Jim
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Hey Jim, let me peek in too :-)

How about posting 'get config' from NS and also a little draw up on the network diagram?

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
will do a diag and dump tomorrow.

basically the netscreen gets 10.1.1.2 as dhcp client from modem. the internal network is 192.168.100.x. there are rules allowing dns, smtp, http, https and ftp in and an any any out.
i can see flow on the untrust interface but no hits on the policy's.

0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
do the ports match up?
Is there a rule above it?

a get config (cleaned of IP's) would be helpful as Rajesh said :)

don't have to go through great links for the diagram. just a simiple here <> to here will work as long as it's logically correct :)
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
The best way to do this would be to put the Adsl modem in bridge mode and get the ISP assigned static address directly onto NetScreen's untrust interface.

This would avoid a lot of public to private ip address talk and much easier to configure.

Then you can configure VIP for inside service access from internet and allow outgoing connections.

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Or trade in for a DSL 5GT :) all in one ;)
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
find me a 5gt under $100 and i'll do it :-P

as for the bridge mode yeah i can do that but then i need to have the ns do pppoe and i thought that was complicating the matter so i switched to this setup.

here is the config, all ip's are private addy so no need to strip.  (at the moment i just have the 2 basic rules in for dns and smtp but i am not sure how to do NAT on these policy's:

gw-> get config
Total Config size 3137:
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "norgan"
set admin password "nCmnACrQIW8BcEjMis4PijDtrEACmn"
set admin auth timeout 10
set admin auth server "Local"
set admin auth banner console login "Norgan Networks Firewall"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
--- more ---
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.100.254/24
set interface trust nat
set interface untrust ip 192.168.0.131/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust dhcp server service
--- more ---
set interface trust dhcp server disable
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname engeneic.aus
set interface trust dhcp server option dns1 192.168.0.10
set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
set interface untrust dhcp-client enable
set flow tcp-mss
set domain engeneic.aus
set hostname gw
set dns host dns1 192.168.0.10
set address "Trust" "192.168.100.1/255.255.255.0" 192.168.100.1 255.255.255.0
set address "Trust" "192.168.100.5/255.255.255.0" 192.168.100.5 255.255.255.0
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy default-permit-all
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2 name "DNS Service" from "Untrust" to "Trust"  "Any" "Any" "DNS" permit log
set policy id 3 name "SMTP" from "Untrust" to "Trust"  "Any" "Any" "MAIL" permit
set policy id 3 application "SMTP"
set syslog config "192.168.100.5"
--- more ---
set syslog config "192.168.100.5" facilities local0 local0
set syslog config "192.168.100.5" port 1468
set syslog config "192.168.100.5" log traffic
set syslog config "192.168.100.5" transport tcp
set syslog src-interface trust
set syslog enable
set firewall log-self
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 255.255.255.255/32 vrouter "trust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
gw->

Please note on the test network the DHCP client on untrust is 192.168.0.131 but will be 10.1.1.2

0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
ok basically., your letting everything out (not logging) (which you should) if people are using DNS/mail then the queries will be coming from your trusted side.
you should also create another policy untrust->trust deny(or allow) all LOG, because right now all traffic is flowing through your NS "set policy default-permit-all"

if your on private IPspace, what are you trying to nat? going out the the internet? your modem will handle that...

I'm really confused with what your trying to do.

and to enable nat, just go into the policy and click the check box..but if you want a mapped Ip or port you need MIP or VIP.
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
i am trying to get specific services to different servers. i.e. mail is on one box and dns and web is on another.
i did the default allow all lto try and get some traffic plow as a diagnistic step.

The nat is so that the 10.1.1.x hits the 192.168.100.x server.

For outgoing i am assuming that Nat is working.

all i need is to replace my linksys router and use the netscreen instead, i'm thinking that bridging the modem to the netscreen then pppoe on the untrust and nat'ing to the servers. this is doing my head in and maybe i am over complicating things but i am trying to acheive the best performance for both outgoing and incoming for a multizone dns and web server and mail services.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
Comment Utility
I bet, the configuration would be much better if you configure your adsl modem to bridge mode. Tell you the reason, The public traffic hits your adsl modem and then tries to communicate with netscreen box. Before that you'll have to do a source nat such that it can communicate together.

If we go on this path, we will end up natting too many stuff. Instead, gettting the ip on ns is the best option. I'll take a look at the configuration which I haven't done yet (need to take a bath and go to office). Will see what the problem is. I'm sure Jim has seen it more than me so he is ofcourse spinning his head as well.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
i'd rather do that but is the pppoe goingot complicate things?

Perfect setup would be to have the public ip on the modem, then my next ip (i have three usable ip's) on the firewall but i'd be happy to just work with one ip, i can add the secondary ip's to the netscreen interface later if needed.

then have traffic from the untrust terminated by pppoe and then forwarded to the relvent service and server.
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
thanks for helping guys as well while i think of it, i have been pulling my hair out and i need to deplay another one of these behind a cisco 877 for work.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Oh. So you got 3 more public ips ? Then if we set it up like you want, later we won't be able to add the other ips onto netscreen interface though.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
well i have my primary ip, it has all internet dns pointing to it. i do have 2 other ip's that i can use. i don;t need to use them however and they have a different gateway as they are on the same subnet but not in series.

i think for simplicity's sake just work on the one, unless the others become aparently usefull during the setup.

I just need the best rock solid secure and performance oriented setup.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Let me see if I have this right.

You have a modem, which you are natting, and port forwarding to your NS, and you want your NS to Nat/Port forward in and out to other things?
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
well the modem is natíng and is using pppoa to terminate.

I have dmz port set to the netscreen. i'd rather have the external ip on the netscreen and possibly pppoe on netscreen. i am after best solution here, not necesarily get what i want working.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
You can basically setup vip for the services, just an example would be as below;

set interface untrust vip untrust 21 FTP  192.168.1.x

This basically delievers the ftp traffic on your untrust interface ip to 192.168.100.x host.

But what is that which is not clear to me is, we are talking about 10.1.1.x and 192.168.100.x

But in your configuration; you have untrust ip as 192.168.0.x instead of 10.1.1.x ???

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
yeah sorry the dhcp has received from another network which is a test network. as it says at the end of the config. vip is no good, i want firewalled servcices and vip won;t allow port 80 when i tried it i beleive.

i need 21, 25, 110, 80, 443 and 1723.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Well,

with keeping your modem, do.. Like Raj said if you can put the modem in bridge mode (ie give it one of your external IP's. but the NS will also have one of those external IP's. )
you can then use your 3rd public IP for MIP/VIP. Meaning you can allow incoming connections to that 3rd IP, and depending on which server/client needs that connection you can forward it to the client from the NS.

This would be your least headache solution. Save removing the modem and using only the NS. Which would give you 1 static on the NS, and 2 IP's to MIP/VIP.

Nat as far as just switching it on/off is just a 1 one thing.

if you connect to google .com here is what would happen.

you 1.1 -> NS 1.2 | 2.1 -> Google 5.1 - Google see's you coming from 2.1 if nat was turned on.
if google was connecting to you, you would see 1.2 if nat was turned on.

But note you can not connect to the 1.2, and google can not connect to the 2.1 that would be a MIP or VIP.


Did you change your webui port on the NS?
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
no i have the webui port as 80.

so is what your saying is that there is no firewall rule then? we are using MIP or VIP?

if that is the case i am wondering why i am using the netscreen over my linksys. i was hopeing to be able to use firewall rules to monitor traffic and have stats. do i get this on a vip service?
 if i run the modem as transparent bridge then i shoudl be able ot have that first ip on the ns (dns on the internet is looking at the first ip) then forward from that ip from the ns to the relevent server?
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
first change your webui port. then you just connect to it http://1.1.1.:333333 ex

I didn't say there wasn't a FW rule.  I tried to explain what NAT did for you. MIP and VIP are used in a Rule.

set policy default-permit-all     - This is applied if there is no policy created or that matches the traffic
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit      --- This allows from trust to untrust ANY traffic (Not logged, turn on logging)
set policy id 2 name "DNS Service" from "Untrust" to "Trust"  "Any" "Any" "DNS" permit log   -- This allows only DNS from untrust any to trust any Logged (good)
set policy id 3 name "SMTP" from "Untrust" to "Trust"  "Any" "Any" "MAIL" permit    -- This allows only DNS from untrust any to trust any port 25 not logged, turn on logging)
You also needset
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit (or deny) log      --- This allows from untrust to trust ANY traffic and logs it,

Logging is needed for finding where your not getting through or where the problem is.

VIP and MIP are similar to NAT, in that you have a FW rule and you apply either Nat, Vip or MIP

Check this out for MIP/VIP info and how to configure/what it does.

http://www.experts-exchange.com/Security/Firewalls/Q_21810865.html
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
ok thanks this has been confusing me a bit so i just want to know thati have it exactly right.

I will set the modem to bridge, then set webui port to  different port.

set vip for each service that i need as well as firewall rule.

i shoudl then see flow on the policy's and be able to get traffic into my internal servers.

thanks for the info will let you knwo how it goes.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
if you turn on the policies and logging from above, you should be able to see traffic now without changing anything.

if you don't it's possible you have a routing problem.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Yeah, lets not *only* discuss that part, try out and you'll be happy about the results for sure.

Cheers,
Rajesh
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:norgan
Comment Utility
Ok so i have set PPPoE and VIP, this is what i have:

get config
Total Config size 3978:
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "****"
set admin password "nCmnACrQIW8BcEjMis4PijDtrEACmn"
set admin port 8080
set admin telnet port 2333
set admin ssh port 2222
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.100.254/24
set interface trust nat
set interface untrust ip 202.129.x.x/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust vip untrust 80 "HTTP" 192.168.100.x
set interface untrust vip untrust 21 "FTP" 192.168.100.x
set interface untrust vip untrust 25 "MAIL" 192.168.100.x
set interface untrust vip untrust 110 "POP3" 192.168.100.x
set interface untrust vip untrust 53 "DNS" 192.168.100.x
set interface untrust vip untrust 443 "HTTPS" 192.168.100.x
set interface trust dhcp server service
set interface trust dhcp server disable
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname engeneic.aus
set interface trust dhcp server option dns1 192.168.0.10
set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain ***.***
set hostname gw
set dns host dns1 192.168.0.10
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2 name "DNS Service" from "Untrust" to "Trust"  "Any" "VIP::1" "DNS" permit log count
set policy id 2 application "DNS"
set policy id 3 name "Mail" from "Untrust" to "Trust"  "Any" "VIP::1" "MAIL" permit log count
set policy id 3 application "SMTP"
set policy id 4 name "POP" from "Untrust" to "Trust"  "Any" "VIP::1" "POP3" permit log count
set policy id 4 application "POP3"
set policy id 5 name "Secure Web Service" from "Untrust" to "Trust"  "Any" "VIP::1" "HTTPS" permit log count
set policy id 6 name "Web Service" from "Untrust" to "Trust"  "Any" "VIP::1" "HTTP" permit log count
set policy id 6 application "HTTP"
set policy id 7 name "FTP" from "Untrust" to "Trust"  "Any" "VIP::1" "FTP" permit log count
set policy id 7 application "FTP"
set pppoe name "iiNet"
set pppoe name "iiNet" username "*****" password "*******"
set pppoe name "iiNet" idle 0
set pppoe name "iiNet" static-ip
set pppoe name "iiNet" interface untrust
set ssh version v2
set config lock timeout 5
set ssl port 4433
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
gw->

How is that looking? i have it on another site for config and will check tonight.
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
ok it works as per above config. i am getting some misc errors on interfaces (like 500-1000 in 30 mins) and slow download results. any idea's?
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
i keep getting disconnected and errors saying that VIP 192.168.100.x not available then alive. help i need to get this stable. i;m getting heaps of interface errors
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Can we work with one service at a time? So what is happening, it keeps disconnecting in a sense it doesn't work at all but it comes up and goes down ? Can you explain a little more.

For the interface part, the cabling is good right ?

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1907110
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1901e0b

set interface trust dhcp server disable

I'm with Raj, what do you see in the event log that could be explaining the misc errors?

if you don't see anything we may need to debug it.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
ya you don't have any routes setup could be onething...ie default gateway
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
set vrouter "untrust-vr"                          ---- enters editing your untrust vr
set route 255.255.255.255/32 vrouter "trust-vr" ---- the 255.255.255.255/32 IP address to your trust-vr ( did you mean 0.0.0.0/0)
exit --- exit's untrust-vr
set vrouter "trust-vr"  -- editing your trust-vr
unset add-default-route -- no routing for trust-vr
exit

set's all your interfaces to use the trust-vr .... but you don't know where to send it...
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
i did think of that, do i need to specify a default route on the incoming network?

There is a default route going out on the trust interface.

The traffic is flowing in fine and web and dns is all working, the same for outgoing. The error's appear on the out packets for the trust and untrust and are higher on the trust side.

how do i add the default route for the incoming untrust interface?

The only reason i have not investigate the possiblity of the missing route is that traffic will flow, it just gets errors at a rate of approximately 20% on the trust side and 10% on the untrust side.

i am very new to netscreens and do not have any real cisco experience so simple steps woudl be appreciated as i have been trying to get my head around this all and has been a rather steep learning curve.

Thanks guys.
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
being that you are in route/nat mode.
one you already have all your statics deffined. represented by the C under the P column

all you need to have

set vrouter trust-vr
set route 0.0.0.0/0 vrouter untrust-vr
exit
set vrouter untrust-vr
set route 0.0.0.0/0 int untrust gate x.x.x.x

0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
also do you have the NS and the devices that hook directly too the NS at 100 mb full? auto sometimes gives you errors

set int x phy full 100mb
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
I am leaving tomorrow and won't be able to help after say noon cst, but I'm sure Rajesh can finish you up :)

but if all else fails, will be back monday, and will load your config on one of my boxes and see what's  up.
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
actually i remembered that from another issue once so i put the ns onto my 10m switch and used the 100mb uplink ports to connect that switch to my 100m switches. i was still getting errors. i thought fo this becuase noth untrust and trust on the 5xp are 10m only, correct? the modem is 10m and now the switch is 10mb, i think that may have made a difference but not sure.

i will add those routes, the x.x.x.x addy is my gateway addy being my public ip right? and see how it goes tonight.
0
 
LVL 9

Accepted Solution

by:
jabiii earned 250 total points
Comment Utility
set route 0.0.0.0/0 int untrust gate x.x.x.x X is the router on the untrust side of the VPN ie default gateway.

you may be right about the capability of the xp. , i would console in and test it personally :)  If the interface goes down, you know it doesn't support 100mb (if you have the other end at 100 too, if you have 1 at 10 and 1 at 100 it won't come up either )
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108031d1d8f007004

if you set both ends to auto, you can also see ,  I have seen where auto even works, rarely, but works might try that too. but I think where getting off topic a little :)

found the users' guide for it ;P
https://www.juniper.net/customers/support/products/netscreen5xp.jsp
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
ok i have added the route's, no more out errors!! yes!

problem though:

Hardware Counters for Interface trust
in bytes      9078312      out bytes      12559230      early frame      0
in packets      15692      out packets      31941      late frame      0
in no buffer      0      out no buffer      0      re xmt limit      0
in overrun      0      out underrun      0      drop vlan      0
in coll err      0      out coll err      0      out cs lost      967
in misc err      60      out misc err      967       
in dma err      0      out bs pak      0       
in crc err      26      out discard      0       
in align err      34      out defer      9       
in short frame      0

crc's and in misc errors, and download have slowed to a crawl. upload is ok and link seems stable now at least, here is the current confing. i can taste success but am still frustrated:

get config
Total Config size 4908:
set clock timezone 9
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "xxxx"
set admin password "xxxxxxxxxx"
set admin port 8080
set admin telnet port 2333
set admin ssh port 2222
set admin mail alert
set admin mail server-name "192.168.100.5"
set admin mail mail-addr1 "xx@xxxxx.net"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface trust phy full
set interface untrust phy full
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.100.254/24
set interface trust nat
set interface untrust ip 202.129.82.189/32
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
unset interface trust manage snmp
set interface untrust vip untrust 80 "HTTP" 192.168.100.1
set interface untrust vip untrust 21 "FTP" 192.168.100.1
set interface untrust vip untrust 25 "MAIL" 192.168.100.5
set interface untrust vip untrust 110 "POP3" 192.168.100.1
set interface untrust vip untrust 53 "DNS" 192.168.100.1
set interface untrust vip untrust 443 "HTTPS" 192.168.100.1
set interface untrust vip untrust 3389 "RDP" 192.168.100.1
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain xxx.net
set hostname gw
set dns host dns1 203.0.178.191
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn name "xxxxxxxxxxxxxx"
set pki x509 dn phone "04"
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2 name "DNS Service" from "Untrust" to "Trust"  "Any" "VIP::1" "DNS" permit log count
set policy id 2 application "DNS"
set policy id 3 name "Mail" from "Untrust" to "Trust"  "Any" "VIP::1" "MAIL" permit log count
set policy id 3 application "SMTP"
set policy id 4 name "POP" from "Untrust" to "Trust"  "Any" "VIP::1" "POP3" permit log count
set policy id 4 application "POP3"
set policy id 5 name "Secure Web Service" from "Untrust" to "Trust"  "Any" "VIP::1" "HTTPS" permit log count
set policy id 6 name "Web Service" from "Untrust" to "Trust"  "Any" "VIP::1" "HTTP" permit log count
set policy id 6 application "HTTP"
set policy id 7 name "FTP" from "Untrust" to "Trust"  "Any" "VIP::1" "FTP" permit log count
set policy id 7 application "FTP"
set pppoe name "iiNet"
set pppoe name "iiNet" username "xxxxx" password "xxxxxxxxxxxxxxxxxxxxxx"
set pppoe name "iiNet" interface untrust
set syslog config "192.168.100.5"
set syslog config "192.168.100.5" facilities local0 local0
set syslog config "192.168.100.5" port 1468
set syslog config "192.168.100.5" log traffic
set syslog config "192.168.100.5" transport tcp
set syslog src-interface trust
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
set ssh version v2
set config lock timeout 5
set ssl port 4433
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp name "gw"
unset snmp auth-trap enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route  0.0.0.0/0 interface untrust gateway 203.55.231.88
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr"
exit
gw->

help! i;m so close lol. i'd offer 1000 points to get this set, no make is one.....miliiion dollars nwahahaha
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Did you recheck the cable between the modem and ns ?

why don't you try swapping with another one ?

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
just changed it but i wasn;t getting these errors b4 the last changes of those routes and the full dup setting
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
still getting errors, and download speed sucks. i have a 21/1M link and getting 300k downloads with 700k up
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
i think i have an extra route that's not needed here:

trust-vr
        IP/Netmask       Gateway       Interface       Protocol       Metric       Vsys       Configure
*      192.168.100.0/24      0.0.0.0      trust      C      0      Root       -
*      202.129.82.189/32      0.0.0.0      untrust      C      0      Root       -
       0.0.0.0/0      untrust-vr      -      S      0      Root       Remove (this shows as not active)
*      0.0.0.0/0      203.55.231.88      untrust      C      1      Root       -
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
ok switch port was hald duplex, canged to full duplex 10m. so far so good.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
So now, you are not getting any of those ? First thing I would suggest you is to save the configuration file onto your computer.

Watch it and lets see if this continues to work okay!

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
yeah cool thanks for all your help. i will watch tonight and tmorrow then if all is ok then i wil sign off the question. who wants the points? i feel i should split them between the two of you.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
it is upto you.. you can split.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:norgan
Comment Utility
oh der i just saw the option haha thankyou very much, both of you. not only did you get this working for me and save me a huge hedache but i now feel confident on deploying one for client.

I LOVE NETSCREENS haha

Token slab of beer for both of you. :-)
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
glad you got it working bud :)

trust-vr
       IP/Netmask      Gateway      Interface      Protocol      Metric      Vsys      Configure
*     192.168.100.0/24     0.0.0.0     trust     C     0     Root      -
*     202.129.82.189/32     0.0.0.0     untrust     C     0     Root      -
      0.0.0.0/0     untrust-vr     -     S     0     Root      Remove (this shows as not active) --- sends all traffic to the untrust-vr
*     0.0.0.0/0     203.55.231.88     untrust     C     1     Root      - sends all traffic to the

that's not what I wrote! :)

actually the system is correct. the 0.0.0.0/0 untrust-vr is not being used in this config :)

try this see if it works, if not we can always switch back
set vrouter untrust vr
set route 0.0.0.0/0 int untrust gate 205.55.231.88
exit
set vrouter trust-vr
unset route 0.0.0.0/0 int untrust
exit


if it doesn't work then just set it back.
in the current config just
set vrouter trust-vr
unset route 0.0.0.0/0  vrouter  untrust-vr  

JIm
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
Tx bud, glad it's all working for ya :)

NS is the bomb! and if there every any Q's Rajesh and I can h00k j00 up! *hi5 Raj*
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Hey, cool. It is really not all that different from Cisco but the terminologies and the way it is configured is quite confusing... :-0

Jim,

  A big thanks to you too, I'm learning at work as well as here from you... One great thing I learned last week is that you put the trust interface in NAT if you want your outgoing traffic to be patted using outside int ip. Infact, the untrust interface NAT option is not entertained at all. I'm gonna file a bug for that :-)

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:jabiii
Comment Utility
dude, you don't want to know how many bug's I've found :) I have the direct phone #'s for Dave and Eric, head of LVl 2 and 3 respectively. That and a couple engineers  lol :)
A few of the bugs I found was basicallly stuff the developers left in because they forgot about hehe

do you have access to closed cases? if so check this one out :) its just funny.  2006-0508-0459

I learn alot from you too!, Also Keith, and lrmoore, the 3 of you are my EE mentors :) Especially with that cisco *stuff* hehe
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I will check this out tomorrow the first thing I get to the office :-) Its funny, I know.. Learning that its funny...

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Looked at it, it is really crazy :-) I discussed with one of my bud in JTAC to get it. I'm not sure if there is any improvement in 5.3

Cheers,
Rajesh

By the way, I got to know your full name :-)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now