zreisman
asked on
Netscreen 5GT unable to forward ports 161 and 1723
I have a client with a Netscreen 5GT Router. All I need to do is forward ports 161 and 1723. When I try to do it using a Virtual IP it give me an error saying those ports aren't available for Virtual IP. I know I have the command syntax right because I tried it with port 80 and it worked.
It seems excessively lame that a $600 dollar router would not be able to do something as simple as forwarding ports so I am assuming there must be another way to do it with MIP or something.
It must be done from the CLI because the web interface is not enabled for some reason. If there is a way to enable the web interface from the CLI WITHOUT reseting to factory default that would be great as well.
It seems excessively lame that a $600 dollar router would not be able to do something as simple as forwarding ports so I am assuming there must be another way to do it with MIP or something.
It must be done from the CLI because the web interface is not enabled for some reason. If there is a way to enable the web interface from the CLI WITHOUT reseting to factory default that would be great as well.
flscott
You tried http://ns.setup ?
ASKER
Yes. The only way I can get in is through hyperterminal via console port.
You should be able to enable management from the command line by doing
set interface <interface name, ie untrust, trust, or in the case of a firewall in a different port mode, eth1-eth4> manage web
if your firewall is in untrust-trust mode the command is
set int untrust manage web
(you can also do manage ping to turn on ping, manage telnet to enable telnet, etc)
I would try that and see if you can get in over the web. If it still isn't working, post again and we can try other things.
What you will need to do, is set up the VIP stuff under the interface, it's easier to do using the web interface. Go to network->interfaces and click edit on the untrust interface, go the VIP tab and look at the configuration. Select "Add modify a VIP" and use the radio button to select use the IP of the untrusted interface.
Then we need to create the Services we will use. Go to the "Objects" tab in the firewall, then select "Services" and then select "Custom". Go there and build a new service by clicking the "New" button.
Name the service whatever you want, make the source ports 0-65535 and the destination port whatever port you need (161 and 1723) and you will need to select the radio button if the port is TCP or UDP. IF you need both TCP and UDP you will have to make one entry (source ports 0 through 65535, destination port 161 through 161, click TCP, and another with the same numbers, but the radio button for UDP selected)
You should make one custom service for each port, for purposes of using it for a VIP. So make one custom called TCP/UDP_161 and one called TCP/UDP_1723.
Then go back to the Untrust interface, select VIP and then click "New VIP Service" and type the port number in the field, then find your custom service on the drop down and then map it to the internal IP you want to forward the port to.
The last step is to go to Policies and select "From Untrust to Trust" and click "New" and then for source IP address select "Any" (Unless you want to lock this down to a specific source IP block, then do that instead) and for the Destination select "VIP(Interface)" and then click okay.
It should work from there! Post again if you need any other help :)
set interface <interface name, ie untrust, trust, or in the case of a firewall in a different port mode, eth1-eth4> manage web
if your firewall is in untrust-trust mode the command is
set int untrust manage web
(you can also do manage ping to turn on ping, manage telnet to enable telnet, etc)
I would try that and see if you can get in over the web. If it still isn't working, post again and we can try other things.
What you will need to do, is set up the VIP stuff under the interface, it's easier to do using the web interface. Go to network->interfaces and click edit on the untrust interface, go the VIP tab and look at the configuration. Select "Add modify a VIP" and use the radio button to select use the IP of the untrusted interface.
Then we need to create the Services we will use. Go to the "Objects" tab in the firewall, then select "Services" and then select "Custom". Go there and build a new service by clicking the "New" button.
Name the service whatever you want, make the source ports 0-65535 and the destination port whatever port you need (161 and 1723) and you will need to select the radio button if the port is TCP or UDP. IF you need both TCP and UDP you will have to make one entry (source ports 0 through 65535, destination port 161 through 161, click TCP, and another with the same numbers, but the radio button for UDP selected)
You should make one custom service for each port, for purposes of using it for a VIP. So make one custom called TCP/UDP_161 and one called TCP/UDP_1723.
Then go back to the Untrust interface, select VIP and then click "New VIP Service" and type the port number in the field, then find your custom service on the drop down and then map it to the internal IP you want to forward the port to.
The last step is to go to Policies and select "From Untrust to Trust" and click "New" and then for source IP address select "Any" (Unless you want to lock this down to a specific source IP block, then do that instead) and for the Destination select "VIP(Interface)" and then click okay.
It should work from there! Post again if you need any other help :)
ASKER
I did
set int trust manage web
it accepted the command but i still can't get in on the web interface.
set int trust manage web
it accepted the command but i still can't get in on the web interface.
What IP address are you connecting from, and what IP address are you connecting to? Can you possibly show a get int from the device? I don't need to see the untrusted IP, but the trusted IP and your PC IP would help. There is also a way to lock down what subnets can connect to the firewall, so your subnet may need to be allowed to connect to the firewall. We can do a "get config | (pipe) include manager-ip" to see if any of those have been set up.
In fact, if you want to do a "get config" and then paste it in here, stripping out your IP addresses and passwords, I could take a look at that as well.
In fact, if you want to do a "get config" and then paste it in here, stripping out your IP addresses and passwords, I could take a look at that as well.
ASKER
Here is the result of "get config" I also tried a "get config | include manager-ip" and nothing came up.
I noticed the admin port set to 32000 so I tried to connect on that from inside and outside the network with no luck. For some reason i cannot get "set int untrust manage web" to show up in the config. I am connecting from a server which is connected to the device via console. Servers IP is 192.168.168.5.
I will also include get int in the next comment.
770-fw-01-> get config
Total Config size 3588:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
set admin port 32000
set admin auth timeout 10
set admin auth server "Local"
set service "RDP" group "other" tcp src 0-65535 dst 3389-3389
set service "RDP" + udp src 0-65535 dst 3389-3389
set service "IPMON" protocol tcp src-port 0-0 dst-port 161-161 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
--- more ---
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.168.1/24
set interface trust nat
set interface untrust ip x.x.x.x/20
set interface untrust route
set interface untrust gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
--- more ---
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage scs
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 RDP 192.168.168.2
set interface untrust dhcp-client enable
set flow tcp-mss
set domain
set hostname 770-fw-01
set ntp server 192.168.168.3
set address "Trust" "192.168.168.0" 192.168.168.0 255.255.255.0 "Created by vpn
wizard"
set snmp name "770-fw-01"
set user "jgoldberg" uid 1
set user "jgoldberg" ike-id u-fqdn "jgoldberg" share-limit 1
set user "jgoldberg" type ike
set user "jgoldberg" "enable"
--- more ---
set ike gateway "Gateway for jgoldberg" dialup "jgoldberg" Aggr outgoing-interfa
ce "untrust" preshare "" sec-level standard
set ike gateway "Gateway for jgoldberg" nat-traversal udp-checksum
set ike gateway "Gateway for jgoldberg" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for jgoldberg" id 1 gateway "Gateway for jgoldberg" no-replay tu
nnel idletime 0 sec-level standard
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "RDP Inbound Policy" from "Untrust" to "Trust" "Any" "VIP:
:1" "RDP" Permit
set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.168.0" "ANY" T
unnel vpn "Tunnel for jgoldberg" id 2
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" Permit log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 167.206.3.203
set dns host dns2 167.206.3.137
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
--- more ---
exit
I noticed the admin port set to 32000 so I tried to connect on that from inside and outside the network with no luck. For some reason i cannot get "set int untrust manage web" to show up in the config. I am connecting from a server which is connected to the device via console. Servers IP is 192.168.168.5.
I will also include get int in the next comment.
770-fw-01-> get config
Total Config size 3588:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
set admin port 32000
set admin auth timeout 10
set admin auth server "Local"
set service "RDP" group "other" tcp src 0-65535 dst 3389-3389
set service "RDP" + udp src 0-65535 dst 3389-3389
set service "IPMON" protocol tcp src-port 0-0 dst-port 161-161 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
--- more ---
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.168.1/24
set interface trust nat
set interface untrust ip x.x.x.x/20
set interface untrust route
set interface untrust gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
--- more ---
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage scs
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 RDP 192.168.168.2
set interface untrust dhcp-client enable
set flow tcp-mss
set domain
set hostname 770-fw-01
set ntp server 192.168.168.3
set address "Trust" "192.168.168.0" 192.168.168.0 255.255.255.0 "Created by vpn
wizard"
set snmp name "770-fw-01"
set user "jgoldberg" uid 1
set user "jgoldberg" ike-id u-fqdn "jgoldberg" share-limit 1
set user "jgoldberg" type ike
set user "jgoldberg" "enable"
--- more ---
set ike gateway "Gateway for jgoldberg" dialup "jgoldberg" Aggr outgoing-interfa
ce "untrust" preshare "" sec-level standard
set ike gateway "Gateway for jgoldberg" nat-traversal udp-checksum
set ike gateway "Gateway for jgoldberg" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for jgoldberg" id 1 gateway "Gateway for jgoldberg" no-replay tu
nnel idletime 0 sec-level standard
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "RDP Inbound Policy" from "Untrust" to "Trust" "Any" "VIP:
:1" "RDP" Permit
set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" "192.168.168.0" "ANY" T
unnel vpn "Tunnel for jgoldberg" id 2
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" Permit log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 167.206.3.203
set dns host dns2 167.206.3.137
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
--- more ---
exit
ASKER
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
trust 192.168.168.1/24 Trust 0010.db4c.f6e0 - U -
untrust x.x.x.x/20 Untrust 0010.db4c.f6e1 - U -
vlan1 0.0.0.0/0 MGT 0010.db4c.f6ef 1 D -
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
trust 192.168.168.1/24 Trust 0010.db4c.f6e0 - U -
untrust x.x.x.x/20 Untrust 0010.db4c.f6e1 - U -
vlan1 0.0.0.0/0 MGT 0010.db4c.f6ef 1 D -
ASKER
Service (port=161) not supported for this vip x.x.x.x
and this is what is says when I try to forward it.
and this is what is says when I try to forward it.
I'm sorry for the late reply, work has been nasty the last day.
I was assuming you were connecting on the untrust interface over the internet. But your server is on the same subnet as the trust.. So you need to:
set int trust manage web
I would unset the admin port 32000 and you should be able to connect via http in a browser. If you leave that port in you would need to http://xx.xx.xx.xx:32000 to get it to come up.
I will log into a netscreen real quick and set up your config and then paste the config into the next message... coming in a minute.
I was assuming you were connecting on the untrust interface over the internet. But your server is on the same subnet as the trust.. So you need to:
set int trust manage web
I would unset the admin port 32000 and you should be able to connect via http in a browser. If you leave that port in you would need to http://xx.xx.xx.xx:32000 to get it to come up.
I will log into a netscreen real quick and set up your config and then paste the config into the next message... coming in a minute.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.