Solved

Netscreen 5GT unable to forward ports 161 and 1723

Posted on 2007-04-02
10
951 Views
Last Modified: 2008-03-06
I have  a client with a Netscreen 5GT Router.  All I need to do is forward ports 161 and 1723.   When I try to do it using a Virtual IP it give me an error saying those ports aren't available for Virtual IP.  I know I have the command syntax right because I tried it with port 80 and it worked.  

It seems excessively lame that a $600 dollar router would not be able to do something as simple as forwarding ports so I am assuming there must be another way to do it with MIP or something.    

It must be done from the CLI because the web interface is not enabled for some reason.    If there is a way to enable the web interface from the CLI WITHOUT reseting to factory default that would be great as well.

0
Comment
Question by:zreisman
  • 5
  • 4
10 Comments
 
LVL 2

Expert Comment

by:flscott
Comment Utility
You tried http://ns.setup ?
0
 
LVL 1

Author Comment

by:zreisman
Comment Utility
Yes.  The only way I can get in is through hyperterminal via console port.
0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
You should be able to enable management from the command line by doing

set interface <interface name, ie untrust, trust, or in the case of a firewall in a different port mode, eth1-eth4> manage web

if your firewall is in untrust-trust mode the command is

set int untrust manage web
(you can also do manage ping to turn on ping, manage telnet to enable telnet, etc)

I would try that and see if you can get in over the web. If it still isn't working, post again and we can try other things.

What you will need to do, is set up the VIP stuff under the interface, it's easier to do using the web interface. Go to network->interfaces and click edit on the untrust interface, go the VIP tab and look at the configuration. Select "Add modify a VIP" and use the radio button to select use the IP of the untrusted interface.

Then we need to create the Services we will use. Go to the "Objects" tab in the firewall, then select "Services" and then select "Custom". Go there and build a new service by clicking the "New" button.

Name the service whatever you want, make the source ports 0-65535 and the destination port whatever port you need (161 and 1723) and you will need to select the radio button if the port is TCP or UDP. IF you need both TCP and UDP you will have to make one entry (source ports 0 through 65535, destination port 161 through 161, click TCP, and another with the same numbers, but the radio button for UDP selected)

You should make one custom service for each port, for purposes of using it for a VIP. So make one custom called TCP/UDP_161 and one called TCP/UDP_1723.

Then go back to the Untrust interface, select VIP and then click "New VIP Service" and type the port number in the field, then find your custom service on the drop down and then map it to the internal IP you want to forward the port to.

The last step is to go to Policies and select "From Untrust to Trust" and click "New" and then for source IP address select "Any" (Unless you want to lock this down to a specific source IP block, then do that instead) and for the Destination select "VIP(Interface)" and then click okay.

It should work from there! Post again if you need any other help :)
0
 
LVL 1

Author Comment

by:zreisman
Comment Utility
I did

set int trust manage web

it accepted the command but i still can't get in on the web interface.
0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
What IP address are you connecting from, and what IP address are you connecting to? Can you possibly show a get int from the device? I don't need to see the untrusted IP, but the trusted IP and your PC IP would help. There is also a way to lock down what subnets can connect to the firewall, so your subnet may need to be allowed to connect to the firewall. We can do a "get config | (pipe) include manager-ip" to see if any of those have been set up.

In fact, if you want to do a "get config" and then paste it in here, stripping out your IP addresses and passwords, I could take a look at that as well.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:zreisman
Comment Utility
Here is the result of "get config"   I also tried a "get config | include manager-ip" and nothing came up.
I noticed the admin port set to 32000 so I tried to connect on that from inside and outside the network with no luck.  For some reason i cannot get "set int untrust manage web" to show up in the config.    I am connecting from a server which is connected to the device via console.  Servers IP is 192.168.168.5.  

I will also include get int in the next comment.

770-fw-01-> get config
Total Config size 3588:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
set admin port 32000
set admin auth timeout 10
set admin auth server "Local"
set service "RDP" group "other" tcp  src 0-65535 dst 3389-3389
set service "RDP" + udp  src 0-65535 dst 3389-3389
set service "IPMON" protocol tcp src-port 0-0 dst-port 161-161 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
--- more ---
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.168.1/24
set interface trust nat
set interface untrust ip x.x.x.x/20
set interface untrust route
set interface untrust gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
--- more ---
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage scs
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 RDP 192.168.168.2
set interface untrust dhcp-client enable
set flow tcp-mss
set domain
set hostname 770-fw-01
set ntp server 192.168.168.3
set address "Trust" "192.168.168.0" 192.168.168.0 255.255.255.0 "Created by vpn
wizard"
set snmp name "770-fw-01"
set user "jgoldberg" uid 1
set user "jgoldberg" ike-id u-fqdn "jgoldberg" share-limit 1
set user "jgoldberg" type  ike
set user "jgoldberg" "enable"
--- more ---
set ike gateway "Gateway for jgoldberg" dialup "jgoldberg" Aggr outgoing-interfa
ce "untrust" preshare "" sec-level standard
set ike gateway "Gateway for jgoldberg" nat-traversal udp-checksum
set ike gateway "Gateway for jgoldberg" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for jgoldberg" id 1 gateway "Gateway for jgoldberg" no-replay tu
nnel idletime 0 sec-level standard
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "RDP Inbound Policy" from "Untrust" to "Trust"  "Any" "VIP:
:1" "RDP" Permit
set policy id 1 from "Untrust" to "Trust"  "Dial-Up VPN" "192.168.168.0" "ANY" T
unnel vpn "Tunnel for jgoldberg" id 2
set policy id 0 from "Trust" to "Untrust"  "Any" "Any" "ANY" Permit log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 167.206.3.203
set dns host dns2 167.206.3.137
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
--- more ---
exit
0
 
LVL 1

Author Comment

by:zreisman
Comment Utility
A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name         IP Address         Zone        MAC            VLAN State VSD
trust        192.168.168.1/24   Trust       0010.db4c.f6e0    -   U   -
untrust      x.x.x.x/20  Untrust     0010.db4c.f6e1    -   U   -
vlan1        0.0.0.0/0          MGT         0010.db4c.f6ef    1   D   -
0
 
LVL 1

Author Comment

by:zreisman
Comment Utility
Service (port=161) not supported for this vip x.x.x.x

and this is what is says when I try to forward it.
0
 
LVL 4

Expert Comment

by:AndrewCink
Comment Utility
I'm sorry for the late reply, work has been nasty the last day.

I was assuming you were connecting on the untrust interface over the internet. But your server is on the same subnet as the trust.. So you need to:

set int trust manage web

I would unset the admin port 32000 and you should be able to connect via http in a browser. If you leave that port in you would need to http://xx.xx.xx.xx:32000 to get it to come up.

I will log into a netscreen real quick and set up your config and then paste the config into the next message... coming in a minute.
0
 
LVL 4

Accepted Solution

by:
AndrewCink earned 500 total points
Comment Utility
Okay... so, I am seeing the problem. It sounds like you're trying to forward TCP 1723 (remote access) and UDP 161 (SNMP) am I correct?

So here is the stuff for 1723..

set service "TCP_1723" protocol tcp src-port 0-65535 dst-port 1723-1723
set interface untrust vip untrust 1723 "TCP_1723" 192.168.168.2
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "TCP_1723" permit

The problem we have is SNMP is UDP port 161 which the Netscreen also uses for SNMP monitoring of itself. I spent several ways trying to forward it, and it appears the device simply won't let you port forward it. It looks like it will only let you poll it for SNMP, not port forward those polls to another device.

If you have more than one public IP address, we could easily use a MIP and forward the requisite ports to your sever. But if you're using a VIP it seems unlikely you have extra IP addresses to use.

I do not think there is another workaround, unless you can find a way to do status polls on a different port, and then forward that port instead to your local server instead.

Good luck.. let me know if you have other questions...


0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now