How to access an Optional network from a Watchguard to a Netscreen

Hi, I have the following scenario:

Watchguard  Firebox Edge X55e
              May 19 2008
              build 178688

This is the main Router/Firewall. It is configured with the the Subnet of It handles are T1 and all the LAN access. Now attached to the Optional port on this router is our VoIP system, which is just a private network from our location in Burbank to our location in Mexico. The devices on that network use the IP's of, 101, 200, 201. There was no device on that network that did any routing whatsoever. We have a RAD RIC E1/T1 Converter one on each end of the Point-toPoint T1. There is Also a Quintum Tenor DX boxes on each end. Now what I want to do is very simple. I just want to be able to Telnet from anywhere to the Quintum box located at

Now I worked with Watchguard and they told me it will not work since the side does not have a Router. The Watchguard is able to see the devices in the ARP table but not ping them. So I a hooked up our old Juniper Networks NS5GT, and basically dumbed it down. I configured it with an IP of and plugged a switch up to it and then plugged in the VoIP devices to it. I also added routes to the network.

So right now I have a rule on the Watchguard to allow port 23 incoming to Optional network IP Right now the only thing I can ping from the network is the Netscreen box located at

I'm quite sure I'm doing something wrong, maybe even trying something that cannot be done, I'm not to sure. My only other thought why it doesn't work is because I need to configure the "WAN" port on the netscreen with the Private IP side....not sure...

Please help.

Steve MarinIT ConsultantAsked:
Who is Participating?
Steve MarinConnect With a Mentor IT ConsultantAuthor Commented:
This never worked. I had to just create a PPTP connection to the Watchguard and access it that way.
As I understand the setup is:
Internet------FB--------Optional--------------------------Netscreen [Untrust]--------------Trust[??]
                    |                       192.168.0.x/24
               Trusted (
There is no need to add a route for 192.168.0.x network as it is defined on a physical interface of the FB. Also, if you would always send traffic originating from Trusted to Optional then there is no need for a policy; however, if traffic originates from optional bound to trusted then policy would be needed.

Reading the post, you can access Netscreen untrust interface from 10.0.1.x machines.

Few questions:
Is netscreen in L3 or L2 mode?
I am not fully understanding the need for putting Netscreen in the first place.
What is the subnet on the Trust interface on Netscreen, also, have you created policies on netscreen to accept incoming traffic from untrust to trust.

Please advice.

Thank you.
Steve MarinIT ConsultantAuthor Commented:
I'm not using the Untrust on the netscreen. I'm just using the Trust side which is I believe it is L3 right now. I was told by watchguard that since there was no router on the side with the VoIP equipment was the reason I could not telnet to it. That they did not have a way to route packets back to the side.

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

If the Quintum box has IP as with default gateway; then optional interface should be able to send traffic and receive back too.
Router would be required if behind Quintum there is some another subnet say, 172,168.x.y and FB needs to send traffic to that subnet and receive traffic too. Still in this case if Quintum box can support this routing then that would be it.
IF the setup is:
Internet------FB--------Optional---------------------Quintum----------------------Mexico Box []
                    |         [with default GW:]
               Trusted (
Then there is no need for any router; the traffic between the two Quintum boxes is not going through FB any which way.
If needed we can add route on FB optional interface for all traffic for to be sent to
For any traffic from trusted interface to go to Quintums you can configure policies [this is allowed by default policy Outgoing though]; also for incoming traffic originated from Quintum's you can create another policy [if a requirement].

I think this should work without any router's in place.

Thank you.
Steve MarinIT ConsultantAuthor Commented:
Problem with the Quintum box is you cannot set the default gateway to the FB optional GW.
If the Quintum box does not talk on any other subnet other than 192.168.0.x then we dont need default gateway.

If you cannot set DG I dont think that even netscreen would be of much help here.

Thank you.
Thank you for the update; good to know the problem is resolved.
Steve MarinIT ConsultantAuthor Commented:
This just fixed itself, I have a feeling that BIS had something going on that day.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.