Solved

Netscreen 5GT on AT&T PPOE connection

Posted on 2009-05-14
6
1,304 Views
Last Modified: 2013-11-16
I have a remote location that is already connected via frame to our hq here and currently all internet traffic comes back to hq.  We would like to send only the internet traffic out a Netscreen 5GT connected to a AT&T PPOE DSL connection and have all other traffic (email, ERP etc.) come back to hq through the frame router.  I have a cisco 2821 in place at the remote location.  I have put the ATT modem in "bridge" mode and configured the netscreen for the ppoe connection.  Both the trust and the untrust interfaces show "up".  When I change the route on the cisco to route out the netscreen I can't trace route past the netscreen trusted address.  I'm pretty sure I have the ATT modem configured correctly but I could be wrong.  I know how to change the cisco router to route out the traffic I need help with the Netscreen.  I will paste the config of the Netscreen below.  Please let me know if you need any other informatiion.  
set clock timezone -9
set vrouter trust-vr sharable
set vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "username"
set admin password "password"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.2.0.5/16
set interface trust nat
set interface untrust ip x.x.x.72/29
set interface untrust route
set interface untrust bandwidth 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust manage-ip 10.2.0.6
set interface trust ip manageable
set interface untrust ip manageable
unset interface trust manage snmp
unset interface trust manage ssl
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage ssl
set interface untrust manage web
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage snmp
set zone V1-Untrust manage web
set flow tcp-mss 1392
set flow all-tcp-mss 1304
set domain redacted.com
set hostname LIVFW01
set dns host dns1 68.94.156.1
set dns host dns2 10.1.1.17
set dns host schedule 06:28
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set pppoe name "ATT connection"
set pppoe name "ATT connection" username "blabbermouth@att.net" password "dVf6KsUcN9kUejs0z6Ce3NeBXZnM1s3odg=="
set pppoe name "ATT connection" idle 0
set pppoe name "ATT connection" static-ip
set pppoe name "ATT connection" interface untrust
unset pppoe name "ATT connection" update-dhcpserver
set pppoe name "ATT connection" auto-connect 20
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set preference ebgp 250
set preference ibgp 40
exit
set vrouter "trust-vr"
set preference ebgp 250
set preference ibgp 40
unset add-default-route
exit

Open in new window

0
Comment
Question by:gzitlaw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 24387339
Looks like you have a static ip from AT&T

since your the ip in your config ends with 72, and its a 29 bit mask, you may have assigned the gateway ip to the netscreen instead of one of your usable ip addresses. ie:

set interface untrust ip x.x.x.73/29 (usable are 73 - 78)

if it static, make sure there is a default route in the destination route table (network>routing>destination ..)

set route 0.0.0.0/0 interface untrust gateway x.x.x72

connecting a laptop to the juniper and working on the config helps. once you can surf.

one more thing

the policy from untrust to trust will not required unless the destination is a MIP or VIP. i believe you can use that policy when te juniper is configured as a layer2 device.

post if you have more questions :)
0
 

Author Comment

by:gzitlaw
ID: 24387447
Thanks Sangamc.  I will have to look at this later tonight I'm on EST and the remote site is PST.  I did look at the IP ranges and I have .78 as the gateway and .79 as the broadcast so I should be able to use .72-.77  but I will definitiely try what you suggested.  Thanks for the help and I will let you know what happened tomorrow.
0
 

Author Comment

by:gzitlaw
ID: 24412805
Sangamc.  I haven't had time to check on this.  I should be able to check it next week as I will be out on Wed.  Thanks for the help.  
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24412859
oh not a problem, take your time. EE isnt going anywhere soon :)
0
 

Author Comment

by:gzitlaw
ID: 24720344
Sangamc,
Sorry it has taken me so long to get back to this question.  I have not solved this yet but have other "fish to fry" as they say in the south.  I am going to award you the points since I'm not sure when i'm going to get to this.  Thanks again for all the help and for being a part of this awesome community.  
0
 

Author Closing Comment

by:gzitlaw
ID: 31581491
The reason this took so long to close was my fault.  Our company could not make there minds up as to what they want to do.  As always I appreciate the awesome help and advice I get from this site.  
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question