Netscreen 5GT on AT&T PPOE connection

Posted on 2009-05-14
Last Modified: 2013-11-16
I have a remote location that is already connected via frame to our hq here and currently all internet traffic comes back to hq.  We would like to send only the internet traffic out a Netscreen 5GT connected to a AT&T PPOE DSL connection and have all other traffic (email, ERP etc.) come back to hq through the frame router.  I have a cisco 2821 in place at the remote location.  I have put the ATT modem in "bridge" mode and configured the netscreen for the ppoe connection.  Both the trust and the untrust interfaces show "up".  When I change the route on the cisco to route out the netscreen I can't trace route past the netscreen trusted address.  I'm pretty sure I have the ATT modem configured correctly but I could be wrong.  I know how to change the cisco router to route out the traffic I need help with the Netscreen.  I will paste the config of the Netscreen below.  Please let me know if you need any other informatiion.  
set clock timezone -9

set vrouter trust-vr sharable

set vrouter "trust-vr" auto-route-export

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set admin name "username"

set admin password "password"

set admin auth timeout 10

set admin auth server "Local"

set admin privilege read-write

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Trust" tcp-rst 

unset zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "VLAN" block 

set zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "trust" zone "Trust"

set interface "untrust" zone "Untrust"

unset interface vlan1 ip

set interface trust ip

set interface trust nat

set interface untrust ip x.x.x.72/29

set interface untrust route

set interface untrust bandwidth 1500

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface trust manage-ip

set interface trust ip manageable

set interface untrust ip manageable

unset interface trust manage snmp

unset interface trust manage ssl

set interface untrust manage ping

set interface untrust manage telnet

set interface untrust manage ssl

set interface untrust manage web

set zone V1-Untrust manage ping

set zone V1-Untrust manage ssh

set zone V1-Untrust manage telnet

set zone V1-Untrust manage snmp

set zone V1-Untrust manage web

set flow tcp-mss 1392

set flow all-tcp-mss 1304

set domain

set hostname LIVFW01

set dns host dns1

set dns host dns2

set dns host schedule 06:28

set ike respond-bad-spi 1

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 

set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 

set pppoe name "ATT connection"

set pppoe name "ATT connection" username "" password "dVf6KsUcN9kUejs0z6Ce3NeBXZnM1s3odg=="

set pppoe name "ATT connection" idle 0

set pppoe name "ATT connection" static-ip

set pppoe name "ATT connection" interface untrust

unset pppoe name "ATT connection" update-dhcpserver

set pppoe name "ATT connection" auto-connect 20

set global-pro policy-manager primary outgoing-interface untrust

set global-pro policy-manager secondary outgoing-interface untrust

set ssh version v2

set config lock timeout 5

set ntp server ""

set ntp server backup1 ""

set ntp server backup2 ""

set modem speed 115200

set modem retry 3

set modem interval 10

set modem idle-time 10

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

set preference ebgp 250

set preference ibgp 40


set vrouter "trust-vr"

set preference ebgp 250

set preference ibgp 40

unset add-default-route


Open in new window

Question by:gzitlaw
  • 4
  • 2
LVL 18

Accepted Solution

Sanga Collins earned 500 total points
ID: 24387339
Looks like you have a static ip from AT&T

since your the ip in your config ends with 72, and its a 29 bit mask, you may have assigned the gateway ip to the netscreen instead of one of your usable ip addresses. ie:

set interface untrust ip x.x.x.73/29 (usable are 73 - 78)

if it static, make sure there is a default route in the destination route table (network>routing>destination ..)

set route interface untrust gateway x.x.x72

connecting a laptop to the juniper and working on the config helps. once you can surf.

one more thing

the policy from untrust to trust will not required unless the destination is a MIP or VIP. i believe you can use that policy when te juniper is configured as a layer2 device.

post if you have more questions :)

Author Comment

ID: 24387447
Thanks Sangamc.  I will have to look at this later tonight I'm on EST and the remote site is PST.  I did look at the IP ranges and I have .78 as the gateway and .79 as the broadcast so I should be able to use .72-.77  but I will definitiely try what you suggested.  Thanks for the help and I will let you know what happened tomorrow.

Author Comment

ID: 24412805
Sangamc.  I haven't had time to check on this.  I should be able to check it next week as I will be out on Wed.  Thanks for the help.  
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

LVL 18

Expert Comment

by:Sanga Collins
ID: 24412859
oh not a problem, take your time. EE isnt going anywhere soon :)

Author Comment

ID: 24720344
Sorry it has taken me so long to get back to this question.  I have not solved this yet but have other "fish to fry" as they say in the south.  I am going to award you the points since I'm not sure when i'm going to get to this.  Thanks again for all the help and for being a part of this awesome community.  

Author Closing Comment

ID: 31581491
The reason this took so long to close was my fault.  Our company could not make there minds up as to what they want to do.  As always I appreciate the awesome help and advice I get from this site.  

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now