Netscreen 5GT unable to forward ports 161 and 1723

I have  a client with a Netscreen 5GT Router.  All I need to do is forward ports 161 and 1723.   When I try to do it using a Virtual IP it give me an error saying those ports aren't available for Virtual IP.  I know I have the command syntax right because I tried it with port 80 and it worked.  

It seems excessively lame that a $600 dollar router would not be able to do something as simple as forwarding ports so I am assuming there must be another way to do it with MIP or something.    

It must be done from the CLI because the web interface is not enabled for some reason.    If there is a way to enable the web interface from the CLI WITHOUT reseting to factory default that would be great as well.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You tried http://ns.setup ?
zreismanAuthor Commented:
Yes.  The only way I can get in is through hyperterminal via console port.
You should be able to enable management from the command line by doing

set interface <interface name, ie untrust, trust, or in the case of a firewall in a different port mode, eth1-eth4> manage web

if your firewall is in untrust-trust mode the command is

set int untrust manage web
(you can also do manage ping to turn on ping, manage telnet to enable telnet, etc)

I would try that and see if you can get in over the web. If it still isn't working, post again and we can try other things.

What you will need to do, is set up the VIP stuff under the interface, it's easier to do using the web interface. Go to network->interfaces and click edit on the untrust interface, go the VIP tab and look at the configuration. Select "Add modify a VIP" and use the radio button to select use the IP of the untrusted interface.

Then we need to create the Services we will use. Go to the "Objects" tab in the firewall, then select "Services" and then select "Custom". Go there and build a new service by clicking the "New" button.

Name the service whatever you want, make the source ports 0-65535 and the destination port whatever port you need (161 and 1723) and you will need to select the radio button if the port is TCP or UDP. IF you need both TCP and UDP you will have to make one entry (source ports 0 through 65535, destination port 161 through 161, click TCP, and another with the same numbers, but the radio button for UDP selected)

You should make one custom service for each port, for purposes of using it for a VIP. So make one custom called TCP/UDP_161 and one called TCP/UDP_1723.

Then go back to the Untrust interface, select VIP and then click "New VIP Service" and type the port number in the field, then find your custom service on the drop down and then map it to the internal IP you want to forward the port to.

The last step is to go to Policies and select "From Untrust to Trust" and click "New" and then for source IP address select "Any" (Unless you want to lock this down to a specific source IP block, then do that instead) and for the Destination select "VIP(Interface)" and then click okay.

It should work from there! Post again if you need any other help :)
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

zreismanAuthor Commented:
I did

set int trust manage web

it accepted the command but i still can't get in on the web interface.
What IP address are you connecting from, and what IP address are you connecting to? Can you possibly show a get int from the device? I don't need to see the untrusted IP, but the trusted IP and your PC IP would help. There is also a way to lock down what subnets can connect to the firewall, so your subnet may need to be allowed to connect to the firewall. We can do a "get config | (pipe) include manager-ip" to see if any of those have been set up.

In fact, if you want to do a "get config" and then paste it in here, stripping out your IP addresses and passwords, I could take a look at that as well.
zreismanAuthor Commented:
Here is the result of "get config"   I also tried a "get config | include manager-ip" and nothing came up.
I noticed the admin port set to 32000 so I tried to connect on that from inside and outside the network with no luck.  For some reason i cannot get "set int untrust manage web" to show up in the config.    I am connecting from a server which is connected to the device via console.  Servers IP is  

I will also include get int in the next comment.

770-fw-01-> get config
Total Config size 3588:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
set admin port 32000
set admin auth timeout 10
set admin auth server "Local"
set service "RDP" group "other" tcp  src 0-65535 dst 3389-3389
set service "RDP" + udp  src 0-65535 dst 3389-3389
set service "IPMON" protocol tcp src-port 0-0 dst-port 161-161 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
--- more ---
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip
set interface trust nat
set interface untrust ip x.x.x.x/20
set interface untrust route
set interface untrust gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
--- more ---
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage scs
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 RDP
set interface untrust dhcp-client enable
set flow tcp-mss
set domain
set hostname 770-fw-01
set ntp server
set address "Trust" "" "Created by vpn
set snmp name "770-fw-01"
set user "jgoldberg" uid 1
set user "jgoldberg" ike-id u-fqdn "jgoldberg" share-limit 1
set user "jgoldberg" type  ike
set user "jgoldberg" "enable"
--- more ---
set ike gateway "Gateway for jgoldberg" dialup "jgoldberg" Aggr outgoing-interfa
ce "untrust" preshare "" sec-level standard
set ike gateway "Gateway for jgoldberg" nat-traversal udp-checksum
set ike gateway "Gateway for jgoldberg" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for jgoldberg" id 1 gateway "Gateway for jgoldberg" no-replay tu
nnel idletime 0 sec-level standard
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "RDP Inbound Policy" from "Untrust" to "Trust"  "Any" "VIP:
:1" "RDP" Permit
set policy id 1 from "Untrust" to "Trust"  "Dial-Up VPN" "" "ANY" T
unnel vpn "Tunnel for jgoldberg" id 2
set policy id 0 from "Trust" to "Untrust"  "Any" "Any" "ANY" Permit log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1
set dns host dns2
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
--- more ---
zreismanAuthor Commented:
A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name         IP Address         Zone        MAC            VLAN State VSD
trust   Trust       0010.db4c.f6e0    -   U   -
untrust      x.x.x.x/20  Untrust     0010.db4c.f6e1    -   U   -
vlan1          MGT         0010.db4c.f6ef    1   D   -
zreismanAuthor Commented:
Service (port=161) not supported for this vip x.x.x.x

and this is what is says when I try to forward it.
I'm sorry for the late reply, work has been nasty the last day.

I was assuming you were connecting on the untrust interface over the internet. But your server is on the same subnet as the trust.. So you need to:

set int trust manage web

I would unset the admin port 32000 and you should be able to connect via http in a browser. If you leave that port in you would need to http://xx.xx.xx.xx:32000 to get it to come up.

I will log into a netscreen real quick and set up your config and then paste the config into the next message... coming in a minute.
Okay... so, I am seeing the problem. It sounds like you're trying to forward TCP 1723 (remote access) and UDP 161 (SNMP) am I correct?

So here is the stuff for 1723..

set service "TCP_1723" protocol tcp src-port 0-65535 dst-port 1723-1723
set interface untrust vip untrust 1723 "TCP_1723"
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "TCP_1723" permit

The problem we have is SNMP is UDP port 161 which the Netscreen also uses for SNMP monitoring of itself. I spent several ways trying to forward it, and it appears the device simply won't let you port forward it. It looks like it will only let you poll it for SNMP, not port forward those polls to another device.

If you have more than one public IP address, we could easily use a MIP and forward the requisite ports to your sever. But if you're using a VIP it seems unlikely you have extra IP addresses to use.

I do not think there is another workaround, unless you can find a way to do status polls on a different port, and then forward that port instead to your local server instead.

Good luck.. let me know if you have other questions...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.