Solved

Junpier, Netscreen, 5GT

Posted on 2007-11-28
14
1,048 Views
Last Modified: 2009-05-18
: I am trying to set up a permanent site to site VPN using two Netscreen 5gt boxes. We don't have a support contract as these were given to us. I have never used a Netscreen 5GT, and as such have no idea, beyond telneting into them, how to set them up for a site to site vpn. The first 5gt will be attached into our office network;Our server assigns DHCP. The second will be attached in our northern office, which doesn't have a server. Any help would be gratefully received. Many Thanks
0
Comment
Question by:P_Evans
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 250 total points
ID: 20370064
No Problem. You should use the webui for it. Juniper has a basic guide you can use without having a log-in.

http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

0
 

Author Comment

by:P_Evans
ID: 20401982
Thanks for your Help! I was away on holiday so apologies for not responding quicker. I reset the netscreen to default, plugged in a cat5 and got the start up wizard . I filled in all the info, rebooted the netscreen, as per its instructions, logged on with the trust ip address. I checked the policys and made sure it said that all network traffic was allowed (I understand this is the default). however I cannot connect to the internet at all, any pointers to where I am going wrong would be appreciated. Thanks
0
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 20404840
for your trust to untrust policy turn on source translation in the advanced settings.
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 125 total points
ID: 20407210
By default NAT is enabled; please make sure that your machines have default gateway on them as Netscreen trusted IP; also, it would be a good idea to give your firewall a static internal IP.

Make sure you have a policy from Untrust to Trust which allow traffic and you should be good. One more point to not is that your DNS settings needs to be correct, otherwise you would be able to reach by IP and not name.

Thank you.
0
 

Author Comment

by:P_Evans
ID: 20499860
Thanks both of you! I have now got internet connection. I have to get the other box set up. The other part I am wondering about is how do I set up the vpn to allow our main server to issues IP address's to our remote office, via the vpn.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20499970
If I understand correctly you want your DHCP traffic to be routed over VPN; there is no problem doing so but this is not an elegant situation; further with VPN you cannot have same IP subnet on both ends; and if you configure different scope to give out DHCP addresses then it makes no sense routing DHCP traffic over a VPN tunnel.
If you wish you can have the 5GT act as a DHCP server on the internal network.

To configure VPN, you need to add gateway, tunnel and policy and you would be done. Please log on to webUI and then configure all three. Please read the article below for help on configuration:
http://kb.juniper.net/KB4757

Please implement and update.

Thank you.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:P_Evans
ID: 20500263
Thanks for the prompt response. Just to clarify the whole situation: we would like a permanent site to site vpn, using the juniper boxes. We have a remote site that needs to have two or more telephones plugged into the juniper at this remote site and these telephones need to get , via the vpn, IP addresses from our main server. We have two broadband lines, one which is our main internet connection, the other we plan to use for our VPN connection. Our main server is  sbs 2003  and is a DHCP server.This was set up by a I.T company previously for us, so I know it is possible, however as you may have noticed I am clueless on how to implement this. Your patience and understanding is appreciated.
0
 
LVL 32

Assisted Solution

by:Rodney Barnhardt
Rodney Barnhardt earned 125 total points
ID: 20500825
I am kind of jumping in on this, but I think you need to configure the remote office with DHCP relaying. To do this, its interfaces must be in routed mode. I have never done this myself. Here is what I think you need to do. You must configure a policy from one zone to the other on the remote device. Basically a policy with the allowed service being DHCP relay agent.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20504386
I agree with rbarnhardt, you would need to configure relay on the remote site for the DHCP to flow accross the VPN tunnel. But before that make sure that the VPN tunnel is up and running.
Did you utilize the link I sent for configuring VPN tunnel, are you able to get the tunnel up, or what are the event logs showing up.

Please advice.

Thank you,
0
 
LVL 5

Assisted Solution

by:ccreamer_22
ccreamer_22 earned 250 total points
ID: 20578828
First I would check the remote site and see if you can communicate with static ip addresses before setting up the dhcp relay. Alot of clients that I assist have their phone system on seperate vlans that may not be routable from the internet or the firewall. I would check to see if you can ping your phone and phone server from the local firewall, then from the remote firewall. Then configure the DHCP relay.
0
 

Author Comment

by:P_Evans
ID: 20626014
Thanks All, i was swept up in other projects so once again sorry for the delay in replying. I have set up both boxes and they are going to be tested today. I'll keep you posted.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 23311795
Solutions were offered but it is not clear which solution worked; also as per last update user had configured the boxes, but the outcome is not known.
IMHO a point split for all experts who participated would be fair for the effort put in.

Thank you.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now