Solved

Configuring a Netscreen 5gt to work with Comcast business class modem

Posted on 2012-03-20
15
1,210 Views
Last Modified: 2012-03-22
Hi,
We are currently using cbeyond as a network supplier.  We have several fixed ips with them and we are using a 5gt firewall after their network device.  Several of the fixed ips are configured to go to different servers in the building using the 5gt firewall and mapped ips.

We have just signed up to use comcast's business class to get faster speeds.  We have another 5gt firewall that I want to put after the comcast firewall.  Their service also comes with several fixed ips and I want to setup the second 5gt similar to the original 5gt and configure the comcast ips to replace cbeyond ips.

I have a basic knowledge about these devices but this is over my head.  

How do I configure the comcast device to send the different ips to the 5gt firewall?  It has dhcp and dns stuff that can be turned off and I don't know if I should. I'm not sure if I need to map each of the incoming ips to the new firewall.  I am at a loss.  

I then am not sure how to go about setting up the 5gt.  Once I have the basics setup I don't have any trouble with setting policies and mapping the ips.

Another question is can these two incoming lines be part of the same network?  I would like to keep the original 5gt setup for emergencies since we aren't getting rid of the cbeyond network.

Thanks, I hope some one can help.
0
Comment
Question by:kareed80
  • 8
  • 7
15 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
What you want to do is configure the first comcast ip on the untrust interface of the 5gt. The set up the default route to point to the gateway ip of the block from Comcast. Finally you can then edit the untrust interface and in the  section for MIP (mapped ips) you can then map any of the additional ip from comcast to private ips of your servers. you will want to create policies to then allow trafffic on the MIPS.

From untrust to trust. Destination = MIP, service = http, dns, or services of your choosing. Action = permit, logging = on

Hope this helps
0
 

Author Comment

by:kareed80
Comment Utility
I'm not sure what you mean by this comment "The set up the default route to point to the gateway ip of the block from Comcast."

Comcast gave me gateway number of xxx.xxx.xxx.54 and a range of xxx.xxx.xxx.241-xxx.xxx.xxx.253
I'm not sure what the gateway number would be used for.  It sounds like I should setup the xxx.xxx.xxx.241 to the untrust of the 5gt.  

One thing I am wondering is the dhcp of the modem.  Do just I let the modem handle dhcp automatically between the modem and the 5gt and ignore it?  I wasn't sure if this is something I should worry about.

I am no longer at work so I will try it tomorrow.
Thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
If you wish to use your static IP addresses, you will need to configure the first one on the untrust interface. You do not have to disable DHCP on the modem. I infact leave my DHCP enabled and connect other equipment like VOIP server to the modem.

After configuring a static IP, unlike DHCP the default gateway is not configured for you on the juniper. You will need to go into Networking > Routing > Destination and add a new route as follows

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interace

This will allow you to then route to the internet from inside your network.
0
 

Author Comment

by:kareed80
Comment Utility
Sorry for being slow.

Here is where I am confused.  Comcast gave me a gateway of x.x.x.54 and behind the comcast firewall, the firewall  sets the ip range to be 10.1.10.x . The gateway to the comcast firewall becomes 10.1.10.1.  If I go to the 5gt and look at the routers it has a route of

IP/Netmask = 0.0.0.0/0
gateway = 10.1.10.1
interface = untrust interface

Do I do anything with the outside gateway of x.x.x.54? Do I add it as another route?



When I go and look at the interfaces I see one that is
Name = untrust
Ip/Network =  10.1.10.11/24
Zone = untrust

Do I add the first comcast static ip to the list as another interface?



Most of what is throwing me is the interaction between the comcast firewall and the 5gt and the 10.1.10.0 ips.

Thanks, your help is greatly appreciated.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
What you are seeing is normal. Comcast modems are configured with a DHCP server handing out 10.1.10.x/24 if you plug in a computer or router using DHCP to the comcast modem. you will get an ip 10.1.10.23 for example with a gateway of 10.1.10.1

But to use the static IP address, you have to turn off dhcp on the untrust interface (on the netscreen not the comcast); and configure your static IP that was provided by comcast. once the static IP is configured it needs a gateway to route to the internet. This gateway is the x.x.x.54.
if you go to (in the netscreen) Network > Routing > destination configure a new gateway with the following

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface

You will then be able to route to the internet using the public IP address and gateway. If you see the old route (the one from DHCP) check if it has a '*' on the left side. '*' symbolizes active route. If you see the '*' power cycle the netscreen to clear it
It should clear automatically once untrust is configured as static but depending on your firmware version sometimes the netscreen could take 10 to 15 minutes to clear that route it obtained from DHCP.

Hope i cleared things up. It may look confusing at first until you actually see it working. Once you do it will all make sense :)
0
 

Author Comment

by:kareed80
Comment Utility
I am looking forward to this making sense.  Maybe a hammer.

Ok this is what I did.
Under interfaces > basic  I put in the following
Static IP
IP Address/Netmask  x.x.x.241  //the lowest ip comcast supplied for the fixed ips
Manage IP  x.x.x.54

WebAuth   x.x.x.253




Under Network > Routing > destination  I put the following

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface


At this point I still can't get access to the internet.  I am wondering if I am missing the gateway address of the comcast firewall 10.1.10.1 somewhere.

Thanks again.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
under interfaces you can erase the manage IP and let it configure the default manage ip (x.x.x.241) this is the ip address that you can connect to from the outside to load the webui or telnet to the console. Also erase the WEbAuth IP since that is used for configuring the netscreen to authenticate a user before they use a specific policy (configured with webauth)

With those items cleaned out, go into the policy section and make sure you have a policy allowing traffic from trust to untrust. Without this policy even if everything is setup correctly you will not be able to get to the internet since the default action for a firewall is to deny all traffic.

are you able to from a workstation ping the gateway ip x.x.x.54?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:kareed80
Comment Utility
Actually I want to use the web authentication.  I use it to open ports to the servers that I want to work on from the outside without leaving them exposed to hackers.  I will look at the policy and see what I need to do.
Thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
That wont be a problem, the only reason i suggest taking it off is so you can get the basic setup working, then with that you will be able to build the config to incorporate all the features you need.
0
 

Author Comment

by:kareed80
Comment Utility
Under policies there is an entry
source = any
destination = any
service = any
Action is a green check
and it is enabled

To me it looks good
0
 

Author Comment

by:kareed80
Comment Utility
pinging x.x.x.54 didn't work
0
 

Author Comment

by:kareed80
Comment Utility
I decided to give something a try.  I changed the ip address of the comcast firewall to the same as the gateway address comcast gave me.  This made the ip address range after the firewall so it would include my static ips from comcast.  The dhcp range does not include the static ips.

I then added a static ip on the 5gt and set it to x.x.x.141, the lowest value of the static ips.

I then went in and added a gateway under the routing > destination and I made it the same as the gateway that I was supplied from comcast x.x.x.54.

I sure there is something wrong with doing it this way but now I do have internet access when I did this and the web authentication address of x.x.x.253, shows the authentication page.

What is your opinion of this solution?
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
Comment Utility
Oh My! that is exactly how it is supposed to be. A gateway ip is basically the ip address of the next device on the way to the internet. I did not realize you did not have the ip x.x.x.54 configured on the comcast modem. Normally this is setup by comcast and you shouldnt have to change it at all.

So basically assume your netscreen LAN is 192.168.1.1, any device that has to use the netscreen to get to the internet will have 192.168.1.1 as its gateway.

The same applies (like a chain) for the netscreen external IP to connect to the internet. Comcast modem has IP x.x.x.54, so netscreen uses this as the gateway to get through to internet via comcast.

Hope this clears things up more. You should be able to configure MIPs now to connect public ips to internal servers
0
 

Author Closing Comment

by:kareed80
Comment Utility
Thanks for all the help, I really appreciate it, your help was great
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Any time! Please feel free to post new questions whenever you run into issues. We have quite a few Juniper netscreen experts always ready to help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now