Juniper Netscreen 25 problem?

I have Netscreen 25 in my company and you can see all detals

The problem is I connect PC from LAN 1
PC Detals  :
IP   172.16.2.32
GW  172.16.2.2

whin I ping

172.16.2.2 (OK) Replay
172.15.5.2 (OK) Replay
172.15.5.1 (OK) Replay
172.31.106.206 (NO) Request timed out.
172.31.106.205 (NO) Request timed out.
172.31.106.129 (NO) Request timed out.
172.31.106.130 (NO) Request timed out.
172.28.1.1 (NO) Request timed out.
172.28.1.3 (NO) Request timed out.

then I tracert 172.15.5.1

C:\>tracert 172.15.5.1
Tracing route to 172.15.5.1 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  172.16.2.2
  2     1 ms    <1 ms    <1 ms  172.15.5.1
Trace complete.



then I tracert 172.31.106.206

C:\>tracert 172.31.106.206
Tracing route to 172.31.106.206 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  172.16.2.2
  2     1 ms     1 ms     1 ms  211.73.192.XX
  3    66 ms   102 ms    40 ms  192.168.129.215
  4    50 ms     *        *     122.903.23.33
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.


AymanDasaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
do you have route statements in the juniper pointing to the other destination networks? from what it looks like, you are trying to reach private networks (not sure where they are without more details) but you do not have a route to those networks. since no route exists, traffic is routed out of the default gateway (which points to the WAN) hence the traceroute going to 211.73.192.xx
0
AymanDasaAuthor Commented:
Mr sangamc
Thanks foe your fast replay

do you have route statements in the juniper pointing to the other destination networks?
I don't know .. how I can know that ?

I'm sorry I forget to post this image  :P
STC.png
0
Sanga CollinsSystems AdminCommented:
i believe a destination based route statement in the ns25 pointing to the interface 172.15.5.2/16 ip address should resolve this. i dont have any cisco devices so i cant tell you how the routing through those devices will work. but try this and let us know your results.

set route ip 172.28.1.0/16 (ip address of LAN 2)
gateway 172.15.5.2
interface <the interface the above ip is configure on>
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

AymanDasaAuthor Commented:
Dear sangamc

I connect R1 to my laptop direct and I try to ping


172.15.5.3 (OK) Replay  "Laptop IP"
172.15.5.1 (OK) Replay
172.31.106.206 (OK) Replay
172.31.106.205 (OK) Replay
172.31.106.129 ((OK) Replay
172.31.106.130 (OK) Replay
172.28.1.1 (OK) Replay
172.28.1.3 (OK) Replay "LAN2 PC"

so the link 100% OK but the problem when I move the cable from my laptop to firewall interface 2
0
Sanga CollinsSystems AdminCommented:
Yes that is the way it is supposed to work. Your laptop has only one outgoing interface so all traffic will go out to R1 by default. But the ns25 has more than one interface so traffic is compared with the routing table to determine it's destination. Since the modem is the default route, and there are no route statements matching subnets in R1 or R2. Traffic that does not have the destination specified will have no choice but to go out through the default route
0
Sanga CollinsSystems AdminCommented:
Try typing 'get route' from a telnet session or view the routing table from the web interface under network>routing>destination and post the results for us so I can explain more
0
AymanDasaAuthor Commented:

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
 
 
IPv4 Dest-Routes for <trust-vr> (7 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*  16          0.0.0.0/0           eth3  212.93.195.113   S   20      1     Root
*   3  211.73.192.12/28            eth3         0.0.0.0   C    0      0     Root
*   4  211.73.192.24/32            eth3         0.0.0.0   H    0      0     Root
*   6      172.15.0.0/16           eth2         0.0.0.0   C    0      0     Root
*   7      172.15.5.2/32           eth2         0.0.0.0   H    0      0     Root
*   1      172.16.0.0/16           eth1         0.0.0.0   C    0      0     Root
*   2      172.16.2.2/32           eth1         0.0.0.0   H    0      0     Root

Open in new window

0
AymanDasaAuthor Commented:
sorry ignore last post

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
 
 
IPv4 Dest-Routes for <trust-vr> (7 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*  16          0.0.0.0/0           eth3   211.73.192.13   S   20      1     Root
*   3  211.73.192.12/28            eth3         0.0.0.0   C    0      0     Root
*   4  211.73.192.24/32            eth3         0.0.0.0   H    0      0     Root
*   6      172.15.0.0/16           eth2         0.0.0.0   C    0      0     Root
*   7      172.15.5.2/32           eth2         0.0.0.0   H    0      0     Root
*   1      172.16.0.0/16           eth1         0.0.0.0   C    0      0     Root
*   2      172.16.2.2/32           eth1         0.0.0.0   H    0      0     Root

Open in new window

0
Sanga CollinsSystems AdminCommented:
ok from this route table you have

a route to 172.15.0.0/16 going through eth2
a route to 172.16.0.0/16 going through eth1
you also have your default route 0.0.0.0/0 going through eth3

the networks listed below do not have any specific routes defined so the juniper will send all traffic destined for these networks out through the default gateway which is eth3. these networks are not reachable through eth3 because that goes out to the internet and not out of eth2 to R1.

172.31.106.205
172.31.106.129
172.28.1.1

so for the 1st one you would need

ID: automatically generated
ip-prefix: 172.31.106.205/30
interface eth2 (the interface that R1 is connected to)
gateway 0.0.0.0
P: automatically generated
Preff: use the default


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AymanDasaAuthor Commented:
Dear sangamc

I understand you very well but in the end I can not

I did not git you in this lines

so for the 1st one you would need

ID: automatically generated
ip-prefix: 172.31.106.205/30
interface eth2 (the interface that R1 is connected to)
gateway 0.0.0.0
P: automatically generated
Preff: use the default
what is the command for that ?

I well post FW> get    tec



Juniper-get-Tec.txt
0
Sanga CollinsSystems AdminCommented:
"so for the 1st one you would need

ID: automatically generated
ip-prefix: 172.31.106.205/30
interface eth2 (the interface that R1 is connected to)
gateway 0.0.0.0
P: automatically generated
Preff: use the default"

these are the settings to use when configuring a route statement in the juniper from the webui. You can do this by going to network> routing> destination. then selecting new route (trust-vr) and creating a new route statement with the above information. i will also post the command line to create said route when i get to my office.
0
AymanDasaAuthor Commented:
THANKS MAN

172.16.2.32 (OK) Replay
172.16.2.2  (OK) Replay
172.15.5.2 (OK) Replay  
172.15.5.1 (OK) Replay
172.31.106.206 (OK) Replay
172.31.106.205 (OK) Replay
172.31.106.129 ((OK) Replay
172.31.106.130 (OK) Replay
172.28.1.1 (NO)
Reply from 172.31.106.205: Destination host unreachable.
Reply from 172.31.106.205: Destination host unreachable.
Reply from 172.31.106.205: Destination host unreachable.

I don't way that so I well post another question


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
 
 
IPv4 Dest-Routes for <trust-vr> (10 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*  16          0.0.0.0/0           eth3   211.73.192.13   S   20      1     Root
*  17  172.31.106.204/30           eth2         0.0.0.0   S   20      1     Root
*   3   211.73.192.12/28           eth3         0.0.0.0   C    0      0     Root
*   4   211.73.192.24/32           eth3         0.0.0.0   H    0      0     Root
*  18  172.31.106.128/30           eth2         0.0.0.0   S   20      1     Root
*   6      172.15.0.0/16           eth2         0.0.0.0   C    0      0     Root
*   7      172.15.5.2/32           eth2         0.0.0.0   H    0      0     Root
*  19      172.28.0.0/16           eth2         0.0.0.0   S   20      1     Root
*   1      172.16.0.0/16           eth1         0.0.0.0   C    0      0     Root
*   2      172.16.2.2/32           eth1         0.0.0.0   H    0      0     Root

Open in new window

0
Sanga CollinsSystems AdminCommented:
yes you may want to split your post into two questions. because you will need to make sure the cisco routers (R! & R2) are configured to recognize the path to LAN1. and that the juniper device is also configured to recognize the path to R1, R2 and LAN 2
0
AymanDasaAuthor Commented:
500 not  fair for you

you should take 50000000 point only


THANKS MR sangamc
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.