Solved

Netscreen 5GT Web UI Access

Posted on 2009-04-07
4
3,316 Views
Last Modified: 2012-05-06
I have a netscreen 5GT that has been reset to the factory defaults.  I've set it up termporarily between two private sub net using CLI.  It routes traffic from the trust to the untrust interface fine, but I cannot ping it or access the web UI from the trust interface.  I'm new to netscreen, but not routers.  How can I get web UI access back?

Here is the output of get config:

Total Config size 3228:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.1.1/24
set interface trust nat
set interface untrust ip 10.0.0.152/24
set interface untrust route
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust dhcp client enable
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname acraaerospace.com
set interface trust dhcp server option dns1 10.0.0.67
set interface trust dhcp server option dns2 10.0.0.64
set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain acraaerospace.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Here's the output of get system:

Product Name: NetScreen-NS5GT
Serial Number: , Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r10.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Tue May 13 03:52:08 PDT 2008
File Name: ns5gt.5.4.0r10.0, Checksum: 602d20c1


Date 04/07/2009 12:46:58, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 46 minutes 56 seconds Since 07Apr2009:12:00:02
Total Device Resets: 5, Last Device Reset at: 04/07/2009 11:58:16

Box in trust-untrust mode

System in NAT/route mode.

Use interface IP, Config Port: 80
0
Comment
Question by:jarrodlbell
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24091475
from the serial console

# set interface trust ip manageable
# set admin manager-ip 192.168.1.1 255.255.255.0

this will allow you to manage from the lan both telnet and webui
0
 

Author Comment

by:jarrodlbell
ID: 24091607
Thanks for the quick reply.

I ran those commands on the console and still can't ping 192.168.1.1 or connect via the web UI.

Why can't I ping the trust interface?  I can ping though it to the untrust interface just fine.

Here's the output of get admin after the changes:

Total Config size 3276:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin manager-ip 192.168.1.1 255.255.255.0
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.1.1/24
set interface trust nat
set interface untrust ip 10.0.0.152/24

set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust dhcp client enable
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname acraaerospace.com
set interface trust dhcp server option dns1 10.0.0.67
set interface trust dhcp server option dns2 10.0.0.64
set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain acraaerospace.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1

unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

0
 

Author Comment

by:jarrodlbell
ID: 24091890
Hooked up another laptop and it works fine.

Must be something wrong with my laptop I guess.

Thanks for the help.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 24091976
lol, not a problem ... in my experience its always the little things.

ps the juniper website has a good knowledge base that will help tremendoulsy when you run into problems

http://kb.juniper.net/index?page=home
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMware vSwitch design best practice for ESXi hosts with 8x NIC ports 9 192
forward schedule of change 1 65
Home Router DHCP query 9 45
asset tags - importance 3 31
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question