Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1059
  • Last Modified:

Junpier, Netscreen, 5GT

: I am trying to set up a permanent site to site VPN using two Netscreen 5gt boxes. We don't have a support contract as these were given to us. I have never used a Netscreen 5GT, and as such have no idea, beyond telneting into them, how to set them up for a site to site vpn. The first 5gt will be attached into our office network;Our server assigns DHCP. The second will be attached in our northern office, which doesn't have a server. Any help would be gratefully received. Many Thanks
0
P_Evans
Asked:
P_Evans
  • 4
  • 4
  • 3
  • +1
4 Solutions
 
ccreamer_22Commented:
No Problem. You should use the webui for it. Juniper has a basic guide you can use without having a log-in.

http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

0
 
P_EvansAuthor Commented:
Thanks for your Help! I was away on holiday so apologies for not responding quicker. I reset the netscreen to default, plugged in a cat5 and got the start up wizard . I filled in all the info, rebooted the netscreen, as per its instructions, logged on with the trust ip address. I checked the policys and made sure it said that all network traffic was allowed (I understand this is the default). however I cannot connect to the internet at all, any pointers to where I am going wrong would be appreciated. Thanks
0
 
ccreamer_22Commented:
for your trust to untrust policy turn on source translation in the advanced settings.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
dpk_walCommented:
By default NAT is enabled; please make sure that your machines have default gateway on them as Netscreen trusted IP; also, it would be a good idea to give your firewall a static internal IP.

Make sure you have a policy from Untrust to Trust which allow traffic and you should be good. One more point to not is that your DNS settings needs to be correct, otherwise you would be able to reach by IP and not name.

Thank you.
0
 
P_EvansAuthor Commented:
Thanks both of you! I have now got internet connection. I have to get the other box set up. The other part I am wondering about is how do I set up the vpn to allow our main server to issues IP address's to our remote office, via the vpn.
0
 
dpk_walCommented:
If I understand correctly you want your DHCP traffic to be routed over VPN; there is no problem doing so but this is not an elegant situation; further with VPN you cannot have same IP subnet on both ends; and if you configure different scope to give out DHCP addresses then it makes no sense routing DHCP traffic over a VPN tunnel.
If you wish you can have the 5GT act as a DHCP server on the internal network.

To configure VPN, you need to add gateway, tunnel and policy and you would be done. Please log on to webUI and then configure all three. Please read the article below for help on configuration:
http://kb.juniper.net/KB4757

Please implement and update.

Thank you.
0
 
P_EvansAuthor Commented:
Thanks for the prompt response. Just to clarify the whole situation: we would like a permanent site to site vpn, using the juniper boxes. We have a remote site that needs to have two or more telephones plugged into the juniper at this remote site and these telephones need to get , via the vpn, IP addresses from our main server. We have two broadband lines, one which is our main internet connection, the other we plan to use for our VPN connection. Our main server is  sbs 2003  and is a DHCP server.This was set up by a I.T company previously for us, so I know it is possible, however as you may have noticed I am clueless on how to implement this. Your patience and understanding is appreciated.
0
 
Rodney BarnhardtServer AdministratorCommented:
I am kind of jumping in on this, but I think you need to configure the remote office with DHCP relaying. To do this, its interfaces must be in routed mode. I have never done this myself. Here is what I think you need to do. You must configure a policy from one zone to the other on the remote device. Basically a policy with the allowed service being DHCP relay agent.
0
 
dpk_walCommented:
I agree with rbarnhardt, you would need to configure relay on the remote site for the DHCP to flow accross the VPN tunnel. But before that make sure that the VPN tunnel is up and running.
Did you utilize the link I sent for configuring VPN tunnel, are you able to get the tunnel up, or what are the event logs showing up.

Please advice.

Thank you,
0
 
ccreamer_22Commented:
First I would check the remote site and see if you can communicate with static ip addresses before setting up the dhcp relay. Alot of clients that I assist have their phone system on seperate vlans that may not be routable from the internet or the firewall. I would check to see if you can ping your phone and phone server from the local firewall, then from the remote firewall. Then configure the DHCP relay.
0
 
P_EvansAuthor Commented:
Thanks All, i was swept up in other projects so once again sorry for the delay in replying. I have set up both boxes and they are going to be tested today. I'll keep you posted.
0
 
dpk_walCommented:
Solutions were offered but it is not clear which solution worked; also as per last update user had configured the boxes, but the outcome is not known.
IMHO a point split for all experts who participated would be fair for the effort put in.

Thank you.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now