Solved

Netscreen 5GT on AT&T PPOE connection

Posted on 2009-05-14
6
1,307 Views
Last Modified: 2013-11-16
I have a remote location that is already connected via frame to our hq here and currently all internet traffic comes back to hq.  We would like to send only the internet traffic out a Netscreen 5GT connected to a AT&T PPOE DSL connection and have all other traffic (email, ERP etc.) come back to hq through the frame router.  I have a cisco 2821 in place at the remote location.  I have put the ATT modem in "bridge" mode and configured the netscreen for the ppoe connection.  Both the trust and the untrust interfaces show "up".  When I change the route on the cisco to route out the netscreen I can't trace route past the netscreen trusted address.  I'm pretty sure I have the ATT modem configured correctly but I could be wrong.  I know how to change the cisco router to route out the traffic I need help with the Netscreen.  I will paste the config of the Netscreen below.  Please let me know if you need any other informatiion.  
set clock timezone -9
set vrouter trust-vr sharable
set vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "username"
set admin password "password"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.2.0.5/16
set interface trust nat
set interface untrust ip x.x.x.72/29
set interface untrust route
set interface untrust bandwidth 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.2.0.6
set interface trust ip manageable
set interface untrust ip manageable
unset interface trust manage snmp
unset interface trust manage ssl
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage ssl
set interface untrust manage web
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage snmp
set zone V1-Untrust manage web
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain redacted.com
set hostname LIVFW01
set dns host dns1 68.94.156.1
set dns host dns2 10.1.1.17
set dns host schedule 06:28
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set pppoe name "ATT connection"
set pppoe name "ATT connection" username "blabbermouth@att.net" password "dVf6KsUcN9kUejs0z6Ce3NeBXZnM1s3odg=="
set pppoe name "ATT connection" idle 0
set pppoe name "ATT connection" static-ip
set pppoe name "ATT connection" interface untrust
unset pppoe name "ATT connection" update-dhcpserver
set pppoe name "ATT connection" auto-connect 20
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set preference ebgp 250
set preference ibgp 40
exit
set vrouter "trust-vr"
set preference ebgp 250
set preference ibgp 40
unset add-default-route
exit

Open in new window

0
Comment
Question by:gzitlaw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 24387339
Looks like you have a static ip from AT&T

since your the ip in your config ends with 72, and its a 29 bit mask, you may have assigned the gateway ip to the netscreen instead of one of your usable ip addresses. ie:

set interface untrust ip x.x.x.73/29 (usable are 73 - 78)

if it static, make sure there is a default route in the destination route table (network>routing>destination ..)

set route 0.0.0.0/0 interface untrust gateway x.x.x72

connecting a laptop to the juniper and working on the config helps. once you can surf.

one more thing

the policy from untrust to trust will not required unless the destination is a MIP or VIP. i believe you can use that policy when te juniper is configured as a layer2 device.

post if you have more questions :)
0
 

Author Comment

by:gzitlaw
ID: 24387447
Thanks Sangamc.  I will have to look at this later tonight I'm on EST and the remote site is PST.  I did look at the IP ranges and I have .78 as the gateway and .79 as the broadcast so I should be able to use .72-.77  but I will definitiely try what you suggested.  Thanks for the help and I will let you know what happened tomorrow.
0
 

Author Comment

by:gzitlaw
ID: 24412805
Sangamc.  I haven't had time to check on this.  I should be able to check it next week as I will be out on Wed.  Thanks for the help.  
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24412859
oh not a problem, take your time. EE isnt going anywhere soon :)
0
 

Author Comment

by:gzitlaw
ID: 24720344
Sangamc,
Sorry it has taken me so long to get back to this question.  I have not solved this yet but have other "fish to fry" as they say in the south.  I am going to award you the points since I'm not sure when i'm going to get to this.  Thanks again for all the help and for being a part of this awesome community.  
0
 

Author Closing Comment

by:gzitlaw
ID: 31581491
The reason this took so long to close was my fault.  Our company could not make there minds up as to what they want to do.  As always I appreciate the awesome help and advice I get from this site.  
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question