basic setup juniper Netscreen routing and NAT ?

I have Netscreen 5XT and i connected as showing in attachment ,
If i access telnet to juniper and ping yahoo.com , and I can ping my Server 172.16.0.23

but from my server I cant ping 80.50.160.102
and i cant ping also yahoo.com  
so I don't have Internet access in all PC and server

thanks in advance for all Expert

set clock timezone 2
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password "#########"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 172.16.0.2/16
set interface trust route
set interface untrust ip 80.50.160.102/30
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust manage ident-reset
set flow tcp-mss
set hostname FWOKIS
set dns host dns1 80.50.50.17
set dns host dns2 80.50.50.18
set address "Trust" "Server1" 172.16.0.23 255.255.255.255
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit
set policy id 5 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface untrust gateway 86.51.160.101
exit

Open in new window

j.png
AymanDasaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
ok first thing you want to do is set the trust interface to NAT mode instead of route.

2nd step is to choose the correct gateway for the default route (the one starting with 0.0.0.0) basically the gateway should be the ip address of the next piece of equipment in the network path on the way to the internet. In this case it is the modem that is the juniper gateway to the internet so the route statement should be

set route  0.0.0.0/0 interface untrust gateway 80.50.160.101

as an example look at your laptops. one has an ip of 173.16.0.33 the ip address of the next piece of equipment on the path to the internet is 172.16.0.2 which is configured as the default gateway on the lapops :)

hope this gets you going!.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mindwiseCommented:
sangam is basically correct

Personally i am not a fan of interface based nat.
I'd turn on nat in the policy. (edit the trust to untrust policy, go to the advanced page and just tick "nat source" and leave the "use interface ip" as is.

SInce your Juniper is a stateful firewall, you don't need a policy back for return traffic to internal hosts, i'd remove the "untrust to trust" policy unless you are absolutely sure you need it.

That you cannot ping the external ip address of the firewall is normal since ping is not "enabled" on it (by default).
You can change that  (set interface untrust manage ping).

Rgds,
0
AymanDasaAuthor Commented:
OK
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.