basic setup juniper Netscreen routing and NAT ?
I have Netscreen 5XT and i connected as showing in attachment ,
If i access telnet to juniper and ping yahoo.com , and I can ping my Server 172.16.0.23
but from my server I cant ping 80.50.160.102
and i cant ping also yahoo.com
so I don't have Internet access in all PC and server
thanks in advance for all Expert
If i access telnet to juniper and ping yahoo.com , and I can ping my Server 172.16.0.23
but from my server I cant ping 80.50.160.102
and i cant ping also yahoo.com
so I don't have Internet access in all PC and server
thanks in advance for all Expert
set clock timezone 2
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password "#########"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 172.16.0.2/16
set interface trust route
set interface untrust ip 80.50.160.102/30
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust manage ident-reset
set flow tcp-mss
set hostname FWOKIS
set dns host dns1 80.50.50.17
set dns host dns2 80.50.50.18
set address "Trust" "Server1" 172.16.0.23 255.255.255.255
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 86.51.160.101
exit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK
Personally i am not a fan of interface based nat.
I'd turn on nat in the policy. (edit the trust to untrust policy, go to the advanced page and just tick "nat source" and leave the "use interface ip" as is.
SInce your Juniper is a stateful firewall, you don't need a policy back for return traffic to internal hosts, i'd remove the "untrust to trust" policy unless you are absolutely sure you need it.
That you cannot ping the external ip address of the firewall is normal since ping is not "enabled" on it (by default).
You can change that (set interface untrust manage ping).
Rgds,