Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Netscreen 5GT unable to forward ports 161 and 1723

Posted on 2007-04-02
Medium Priority
Last Modified: 2008-03-06
I have  a client with a Netscreen 5GT Router.  All I need to do is forward ports 161 and 1723.   When I try to do it using a Virtual IP it give me an error saying those ports aren't available for Virtual IP.  I know I have the command syntax right because I tried it with port 80 and it worked.  

It seems excessively lame that a $600 dollar router would not be able to do something as simple as forwarding ports so I am assuming there must be another way to do it with MIP or something.    

It must be done from the CLI because the web interface is not enabled for some reason.    If there is a way to enable the web interface from the CLI WITHOUT reseting to factory default that would be great as well.

Question by:zreisman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 18839737
You tried http://ns.setup ?

Author Comment

ID: 18840178
Yes.  The only way I can get in is through hyperterminal via console port.

Expert Comment

ID: 18848144
You should be able to enable management from the command line by doing

set interface <interface name, ie untrust, trust, or in the case of a firewall in a different port mode, eth1-eth4> manage web

if your firewall is in untrust-trust mode the command is

set int untrust manage web
(you can also do manage ping to turn on ping, manage telnet to enable telnet, etc)

I would try that and see if you can get in over the web. If it still isn't working, post again and we can try other things.

What you will need to do, is set up the VIP stuff under the interface, it's easier to do using the web interface. Go to network->interfaces and click edit on the untrust interface, go the VIP tab and look at the configuration. Select "Add modify a VIP" and use the radio button to select use the IP of the untrusted interface.

Then we need to create the Services we will use. Go to the "Objects" tab in the firewall, then select "Services" and then select "Custom". Go there and build a new service by clicking the "New" button.

Name the service whatever you want, make the source ports 0-65535 and the destination port whatever port you need (161 and 1723) and you will need to select the radio button if the port is TCP or UDP. IF you need both TCP and UDP you will have to make one entry (source ports 0 through 65535, destination port 161 through 161, click TCP, and another with the same numbers, but the radio button for UDP selected)

You should make one custom service for each port, for purposes of using it for a VIP. So make one custom called TCP/UDP_161 and one called TCP/UDP_1723.

Then go back to the Untrust interface, select VIP and then click "New VIP Service" and type the port number in the field, then find your custom service on the drop down and then map it to the internal IP you want to forward the port to.

The last step is to go to Policies and select "From Untrust to Trust" and click "New" and then for source IP address select "Any" (Unless you want to lock this down to a specific source IP block, then do that instead) and for the Destination select "VIP(Interface)" and then click okay.

It should work from there! Post again if you need any other help :)
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.


Author Comment

ID: 18850291
I did

set int trust manage web

it accepted the command but i still can't get in on the web interface.

Expert Comment

ID: 18853146
What IP address are you connecting from, and what IP address are you connecting to? Can you possibly show a get int from the device? I don't need to see the untrusted IP, but the trusted IP and your PC IP would help. There is also a way to lock down what subnets can connect to the firewall, so your subnet may need to be allowed to connect to the firewall. We can do a "get config | (pipe) include manager-ip" to see if any of those have been set up.

In fact, if you want to do a "get config" and then paste it in here, stripping out your IP addresses and passwords, I could take a look at that as well.

Author Comment

ID: 18854825
Here is the result of "get config"   I also tried a "get config | include manager-ip" and nothing came up.
I noticed the admin port set to 32000 so I tried to connect on that from inside and outside the network with no luck.  For some reason i cannot get "set int untrust manage web" to show up in the config.    I am connecting from a server which is connected to the device via console.  Servers IP is  

I will also include get int in the next comment.

770-fw-01-> get config
Total Config size 3588:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
set admin port 32000
set admin auth timeout 10
set admin auth server "Local"
set service "RDP" group "other" tcp  src 0-65535 dst 3389-3389
set service "RDP" + udp  src 0-65535 dst 3389-3389
set service "IPMON" protocol tcp src-port 0-0 dst-port 161-161 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
--- more ---
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip
set interface trust nat
set interface untrust ip x.x.x.x/20
set interface untrust route
set interface untrust gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
--- more ---
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage scs
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 RDP
set interface untrust dhcp-client enable
set flow tcp-mss
set domain
set hostname 770-fw-01
set ntp server
set address "Trust" "" "Created by vpn
set snmp name "770-fw-01"
set user "jgoldberg" uid 1
set user "jgoldberg" ike-id u-fqdn "jgoldberg" share-limit 1
set user "jgoldberg" type  ike
set user "jgoldberg" "enable"
--- more ---
set ike gateway "Gateway for jgoldberg" dialup "jgoldberg" Aggr outgoing-interfa
ce "untrust" preshare "" sec-level standard
set ike gateway "Gateway for jgoldberg" nat-traversal udp-checksum
set ike gateway "Gateway for jgoldberg" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for jgoldberg" id 1 gateway "Gateway for jgoldberg" no-replay tu
nnel idletime 0 sec-level standard
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "RDP Inbound Policy" from "Untrust" to "Trust"  "Any" "VIP:
:1" "RDP" Permit
set policy id 1 from "Untrust" to "Trust"  "Dial-Up VPN" "" "ANY" T
unnel vpn "Tunnel for jgoldberg" id 2
set policy id 0 from "Trust" to "Untrust"  "Any" "Any" "ANY" Permit log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1
set dns host dns2
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
--- more ---

Author Comment

ID: 18854838
A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name         IP Address         Zone        MAC            VLAN State VSD
trust   Trust       0010.db4c.f6e0    -   U   -
untrust      x.x.x.x/20  Untrust     0010.db4c.f6e1    -   U   -
vlan1          MGT         0010.db4c.f6ef    1   D   -

Author Comment

ID: 18854868
Service (port=161) not supported for this vip x.x.x.x

and this is what is says when I try to forward it.

Expert Comment

ID: 18862545
I'm sorry for the late reply, work has been nasty the last day.

I was assuming you were connecting on the untrust interface over the internet. But your server is on the same subnet as the trust.. So you need to:

set int trust manage web

I would unset the admin port 32000 and you should be able to connect via http in a browser. If you leave that port in you would need to http://xx.xx.xx.xx:32000 to get it to come up.

I will log into a netscreen real quick and set up your config and then paste the config into the next message... coming in a minute.

Accepted Solution

AndrewCink earned 2000 total points
ID: 18862583
Okay... so, I am seeing the problem. It sounds like you're trying to forward TCP 1723 (remote access) and UDP 161 (SNMP) am I correct?

So here is the stuff for 1723..

set service "TCP_1723" protocol tcp src-port 0-65535 dst-port 1723-1723
set interface untrust vip untrust 1723 "TCP_1723"
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "TCP_1723" permit

The problem we have is SNMP is UDP port 161 which the Netscreen also uses for SNMP monitoring of itself. I spent several ways trying to forward it, and it appears the device simply won't let you port forward it. It looks like it will only let you poll it for SNMP, not port forward those polls to another device.

If you have more than one public IP address, we could easily use a MIP and forward the requisite ports to your sever. But if you're using a VIP it seems unlikely you have extra IP addresses to use.

I do not think there is another workaround, unless you can find a way to do status polls on a different port, and then forward that port instead to your local server instead.

Good luck.. let me know if you have other questions...


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question