Netscreen 5GT on AT&T PPOE connection

Posted on 2009-05-14
Last Modified: 2013-11-16
I have a remote location that is already connected via frame to our hq here and currently all internet traffic comes back to hq.  We would like to send only the internet traffic out a Netscreen 5GT connected to a AT&T PPOE DSL connection and have all other traffic (email, ERP etc.) come back to hq through the frame router.  I have a cisco 2821 in place at the remote location.  I have put the ATT modem in "bridge" mode and configured the netscreen for the ppoe connection.  Both the trust and the untrust interfaces show "up".  When I change the route on the cisco to route out the netscreen I can't trace route past the netscreen trusted address.  I'm pretty sure I have the ATT modem configured correctly but I could be wrong.  I know how to change the cisco router to route out the traffic I need help with the Netscreen.  I will paste the config of the Netscreen below.  Please let me know if you need any other informatiion.  
set clock timezone -9

set vrouter trust-vr sharable

set vrouter "trust-vr" auto-route-export

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set admin name "username"

set admin password "password"

set admin auth timeout 10

set admin auth server "Local"

set admin privilege read-write

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Trust" tcp-rst 

unset zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "VLAN" block 

set zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "trust" zone "Trust"

set interface "untrust" zone "Untrust"

unset interface vlan1 ip

set interface trust ip

set interface trust nat

set interface untrust ip x.x.x.72/29

set interface untrust route

set interface untrust bandwidth 1500

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface trust manage-ip

set interface trust ip manageable

set interface untrust ip manageable

unset interface trust manage snmp

unset interface trust manage ssl

set interface untrust manage ping

set interface untrust manage telnet

set interface untrust manage ssl

set interface untrust manage web

set zone V1-Untrust manage ping

set zone V1-Untrust manage ssh

set zone V1-Untrust manage telnet

set zone V1-Untrust manage snmp

set zone V1-Untrust manage web

set flow tcp-mss 1392

set flow all-tcp-mss 1304

set domain

set hostname LIVFW01

set dns host dns1

set dns host dns2

set dns host schedule 06:28

set ike respond-bad-spi 1

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 

set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 

set pppoe name "ATT connection"

set pppoe name "ATT connection" username "" password "dVf6KsUcN9kUejs0z6Ce3NeBXZnM1s3odg=="

set pppoe name "ATT connection" idle 0

set pppoe name "ATT connection" static-ip

set pppoe name "ATT connection" interface untrust

unset pppoe name "ATT connection" update-dhcpserver

set pppoe name "ATT connection" auto-connect 20

set global-pro policy-manager primary outgoing-interface untrust

set global-pro policy-manager secondary outgoing-interface untrust

set ssh version v2

set config lock timeout 5

set ntp server ""

set ntp server backup1 ""

set ntp server backup2 ""

set modem speed 115200

set modem retry 3

set modem interval 10

set modem idle-time 10

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

set preference ebgp 250

set preference ibgp 40


set vrouter "trust-vr"

set preference ebgp 250

set preference ibgp 40

unset add-default-route


Open in new window

Question by:gzitlaw
  • 4
  • 2
LVL 18

Accepted Solution

Sanga Collins earned 500 total points
ID: 24387339
Looks like you have a static ip from AT&T

since your the ip in your config ends with 72, and its a 29 bit mask, you may have assigned the gateway ip to the netscreen instead of one of your usable ip addresses. ie:

set interface untrust ip x.x.x.73/29 (usable are 73 - 78)

if it static, make sure there is a default route in the destination route table (network>routing>destination ..)

set route interface untrust gateway x.x.x72

connecting a laptop to the juniper and working on the config helps. once you can surf.

one more thing

the policy from untrust to trust will not required unless the destination is a MIP or VIP. i believe you can use that policy when te juniper is configured as a layer2 device.

post if you have more questions :)

Author Comment

ID: 24387447
Thanks Sangamc.  I will have to look at this later tonight I'm on EST and the remote site is PST.  I did look at the IP ranges and I have .78 as the gateway and .79 as the broadcast so I should be able to use .72-.77  but I will definitiely try what you suggested.  Thanks for the help and I will let you know what happened tomorrow.

Author Comment

ID: 24412805
Sangamc.  I haven't had time to check on this.  I should be able to check it next week as I will be out on Wed.  Thanks for the help.  
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 18

Expert Comment

by:Sanga Collins
ID: 24412859
oh not a problem, take your time. EE isnt going anywhere soon :)

Author Comment

ID: 24720344
Sorry it has taken me so long to get back to this question.  I have not solved this yet but have other "fish to fry" as they say in the south.  I am going to award you the points since I'm not sure when i'm going to get to this.  Thanks again for all the help and for being a part of this awesome community.  

Author Closing Comment

ID: 31581491
The reason this took so long to close was my fault.  Our company could not make there minds up as to what they want to do.  As always I appreciate the awesome help and advice I get from this site.  

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now