Solved

Netscreen 5GT on AT&T PPOE connection

Posted on 2009-05-14
6
1,296 Views
Last Modified: 2013-11-16
I have a remote location that is already connected via frame to our hq here and currently all internet traffic comes back to hq.  We would like to send only the internet traffic out a Netscreen 5GT connected to a AT&T PPOE DSL connection and have all other traffic (email, ERP etc.) come back to hq through the frame router.  I have a cisco 2821 in place at the remote location.  I have put the ATT modem in "bridge" mode and configured the netscreen for the ppoe connection.  Both the trust and the untrust interfaces show "up".  When I change the route on the cisco to route out the netscreen I can't trace route past the netscreen trusted address.  I'm pretty sure I have the ATT modem configured correctly but I could be wrong.  I know how to change the cisco router to route out the traffic I need help with the Netscreen.  I will paste the config of the Netscreen below.  Please let me know if you need any other informatiion.  
set clock timezone -9
set vrouter trust-vr sharable
set vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "username"
set admin password "password"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.2.0.5/16
set interface trust nat
set interface untrust ip x.x.x.72/29
set interface untrust route
set interface untrust bandwidth 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.2.0.6
set interface trust ip manageable
set interface untrust ip manageable
unset interface trust manage snmp
unset interface trust manage ssl
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage ssl
set interface untrust manage web
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage snmp
set zone V1-Untrust manage web
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain redacted.com
set hostname LIVFW01
set dns host dns1 68.94.156.1
set dns host dns2 10.1.1.17
set dns host schedule 06:28
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set pppoe name "ATT connection"
set pppoe name "ATT connection" username "blabbermouth@att.net" password "dVf6KsUcN9kUejs0z6Ce3NeBXZnM1s3odg=="
set pppoe name "ATT connection" idle 0
set pppoe name "ATT connection" static-ip
set pppoe name "ATT connection" interface untrust
unset pppoe name "ATT connection" update-dhcpserver
set pppoe name "ATT connection" auto-connect 20
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set preference ebgp 250
set preference ibgp 40
exit
set vrouter "trust-vr"
set preference ebgp 250
set preference ibgp 40
unset add-default-route
exit

Open in new window

0
Comment
Question by:gzitlaw
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 24387339
Looks like you have a static ip from AT&T

since your the ip in your config ends with 72, and its a 29 bit mask, you may have assigned the gateway ip to the netscreen instead of one of your usable ip addresses. ie:

set interface untrust ip x.x.x.73/29 (usable are 73 - 78)

if it static, make sure there is a default route in the destination route table (network>routing>destination ..)

set route 0.0.0.0/0 interface untrust gateway x.x.x72

connecting a laptop to the juniper and working on the config helps. once you can surf.

one more thing

the policy from untrust to trust will not required unless the destination is a MIP or VIP. i believe you can use that policy when te juniper is configured as a layer2 device.

post if you have more questions :)
0
 

Author Comment

by:gzitlaw
ID: 24387447
Thanks Sangamc.  I will have to look at this later tonight I'm on EST and the remote site is PST.  I did look at the IP ranges and I have .78 as the gateway and .79 as the broadcast so I should be able to use .72-.77  but I will definitiely try what you suggested.  Thanks for the help and I will let you know what happened tomorrow.
0
 

Author Comment

by:gzitlaw
ID: 24412805
Sangamc.  I haven't had time to check on this.  I should be able to check it next week as I will be out on Wed.  Thanks for the help.  
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24412859
oh not a problem, take your time. EE isnt going anywhere soon :)
0
 

Author Comment

by:gzitlaw
ID: 24720344
Sangamc,
Sorry it has taken me so long to get back to this question.  I have not solved this yet but have other "fish to fry" as they say in the south.  I am going to award you the points since I'm not sure when i'm going to get to this.  Thanks again for all the help and for being a part of this awesome community.  
0
 

Author Closing Comment

by:gzitlaw
ID: 31581491
The reason this took so long to close was my fault.  Our company could not make there minds up as to what they want to do.  As always I appreciate the awesome help and advice I get from this site.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question