kareed80
asked on
Configuring a Netscreen 5gt to work with Comcast business class modem
Hi,
We are currently using cbeyond as a network supplier. We have several fixed ips with them and we are using a 5gt firewall after their network device. Several of the fixed ips are configured to go to different servers in the building using the 5gt firewall and mapped ips.
We have just signed up to use comcast's business class to get faster speeds. We have another 5gt firewall that I want to put after the comcast firewall. Their service also comes with several fixed ips and I want to setup the second 5gt similar to the original 5gt and configure the comcast ips to replace cbeyond ips.
I have a basic knowledge about these devices but this is over my head.
How do I configure the comcast device to send the different ips to the 5gt firewall? It has dhcp and dns stuff that can be turned off and I don't know if I should. I'm not sure if I need to map each of the incoming ips to the new firewall. I am at a loss.
I then am not sure how to go about setting up the 5gt. Once I have the basics setup I don't have any trouble with setting policies and mapping the ips.
Another question is can these two incoming lines be part of the same network? I would like to keep the original 5gt setup for emergencies since we aren't getting rid of the cbeyond network.
Thanks, I hope some one can help.
We are currently using cbeyond as a network supplier. We have several fixed ips with them and we are using a 5gt firewall after their network device. Several of the fixed ips are configured to go to different servers in the building using the 5gt firewall and mapped ips.
We have just signed up to use comcast's business class to get faster speeds. We have another 5gt firewall that I want to put after the comcast firewall. Their service also comes with several fixed ips and I want to setup the second 5gt similar to the original 5gt and configure the comcast ips to replace cbeyond ips.
I have a basic knowledge about these devices but this is over my head.
How do I configure the comcast device to send the different ips to the 5gt firewall? It has dhcp and dns stuff that can be turned off and I don't know if I should. I'm not sure if I need to map each of the incoming ips to the new firewall. I am at a loss.
I then am not sure how to go about setting up the 5gt. Once I have the basics setup I don't have any trouble with setting policies and mapping the ips.
Another question is can these two incoming lines be part of the same network? I would like to keep the original 5gt setup for emergencies since we aren't getting rid of the cbeyond network.
Thanks, I hope some one can help.
ASKER
I'm not sure what you mean by this comment "The set up the default route to point to the gateway ip of the block from Comcast."
Comcast gave me gateway number of xxx.xxx.xxx.54 and a range of xxx.xxx.xxx.241-xxx.xxx.xx x.253
I'm not sure what the gateway number would be used for. It sounds like I should setup the xxx.xxx.xxx.241 to the untrust of the 5gt.
One thing I am wondering is the dhcp of the modem. Do just I let the modem handle dhcp automatically between the modem and the 5gt and ignore it? I wasn't sure if this is something I should worry about.
I am no longer at work so I will try it tomorrow.
Thanks
Comcast gave me gateway number of xxx.xxx.xxx.54 and a range of xxx.xxx.xxx.241-xxx.xxx.xx
I'm not sure what the gateway number would be used for. It sounds like I should setup the xxx.xxx.xxx.241 to the untrust of the 5gt.
One thing I am wondering is the dhcp of the modem. Do just I let the modem handle dhcp automatically between the modem and the 5gt and ignore it? I wasn't sure if this is something I should worry about.
I am no longer at work so I will try it tomorrow.
Thanks
If you wish to use your static IP addresses, you will need to configure the first one on the untrust interface. You do not have to disable DHCP on the modem. I infact leave my DHCP enabled and connect other equipment like VOIP server to the modem.
After configuring a static IP, unlike DHCP the default gateway is not configured for you on the juniper. You will need to go into Networking > Routing > Destination and add a new route as follows
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interace
This will allow you to then route to the internet from inside your network.
After configuring a static IP, unlike DHCP the default gateway is not configured for you on the juniper. You will need to go into Networking > Routing > Destination and add a new route as follows
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interace
This will allow you to then route to the internet from inside your network.
ASKER
Sorry for being slow.
Here is where I am confused. Comcast gave me a gateway of x.x.x.54 and behind the comcast firewall, the firewall sets the ip range to be 10.1.10.x . The gateway to the comcast firewall becomes 10.1.10.1. If I go to the 5gt and look at the routers it has a route of
IP/Netmask = 0.0.0.0/0
gateway = 10.1.10.1
interface = untrust interface
Do I do anything with the outside gateway of x.x.x.54? Do I add it as another route?
When I go and look at the interfaces I see one that is
Name = untrust
Ip/Network = 10.1.10.11/24
Zone = untrust
Do I add the first comcast static ip to the list as another interface?
Most of what is throwing me is the interaction between the comcast firewall and the 5gt and the 10.1.10.0 ips.
Thanks, your help is greatly appreciated.
Here is where I am confused. Comcast gave me a gateway of x.x.x.54 and behind the comcast firewall, the firewall sets the ip range to be 10.1.10.x . The gateway to the comcast firewall becomes 10.1.10.1. If I go to the 5gt and look at the routers it has a route of
IP/Netmask = 0.0.0.0/0
gateway = 10.1.10.1
interface = untrust interface
Do I do anything with the outside gateway of x.x.x.54? Do I add it as another route?
When I go and look at the interfaces I see one that is
Name = untrust
Ip/Network = 10.1.10.11/24
Zone = untrust
Do I add the first comcast static ip to the list as another interface?
Most of what is throwing me is the interaction between the comcast firewall and the 5gt and the 10.1.10.0 ips.
Thanks, your help is greatly appreciated.
What you are seeing is normal. Comcast modems are configured with a DHCP server handing out 10.1.10.x/24 if you plug in a computer or router using DHCP to the comcast modem. you will get an ip 10.1.10.23 for example with a gateway of 10.1.10.1
But to use the static IP address, you have to turn off dhcp on the untrust interface (on the netscreen not the comcast); and configure your static IP that was provided by comcast. once the static IP is configured it needs a gateway to route to the internet. This gateway is the x.x.x.54.
if you go to (in the netscreen) Network > Routing > destination configure a new gateway with the following
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface
You will then be able to route to the internet using the public IP address and gateway. If you see the old route (the one from DHCP) check if it has a '*' on the left side. '*' symbolizes active route. If you see the '*' power cycle the netscreen to clear it
It should clear automatically once untrust is configured as static but depending on your firmware version sometimes the netscreen could take 10 to 15 minutes to clear that route it obtained from DHCP.
Hope i cleared things up. It may look confusing at first until you actually see it working. Once you do it will all make sense :)
But to use the static IP address, you have to turn off dhcp on the untrust interface (on the netscreen not the comcast); and configure your static IP that was provided by comcast. once the static IP is configured it needs a gateway to route to the internet. This gateway is the x.x.x.54.
if you go to (in the netscreen) Network > Routing > destination configure a new gateway with the following
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface
You will then be able to route to the internet using the public IP address and gateway. If you see the old route (the one from DHCP) check if it has a '*' on the left side. '*' symbolizes active route. If you see the '*' power cycle the netscreen to clear it
It should clear automatically once untrust is configured as static but depending on your firmware version sometimes the netscreen could take 10 to 15 minutes to clear that route it obtained from DHCP.
Hope i cleared things up. It may look confusing at first until you actually see it working. Once you do it will all make sense :)
ASKER
I am looking forward to this making sense. Maybe a hammer.
Ok this is what I did.
Under interfaces > basic I put in the following
Static IP
IP Address/Netmask x.x.x.241 //the lowest ip comcast supplied for the fixed ips
Manage IP x.x.x.54
WebAuth x.x.x.253
Under Network > Routing > destination I put the following
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface
At this point I still can't get access to the internet. I am wondering if I am missing the gateway address of the comcast firewall 10.1.10.1 somewhere.
Thanks again.
Ok this is what I did.
Under interfaces > basic I put in the following
Static IP
IP Address/Netmask x.x.x.241 //the lowest ip comcast supplied for the fixed ips
Manage IP x.x.x.54
WebAuth x.x.x.253
Under Network > Routing > destination I put the following
IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface
At this point I still can't get access to the internet. I am wondering if I am missing the gateway address of the comcast firewall 10.1.10.1 somewhere.
Thanks again.
under interfaces you can erase the manage IP and let it configure the default manage ip (x.x.x.241) this is the ip address that you can connect to from the outside to load the webui or telnet to the console. Also erase the WEbAuth IP since that is used for configuring the netscreen to authenticate a user before they use a specific policy (configured with webauth)
With those items cleaned out, go into the policy section and make sure you have a policy allowing traffic from trust to untrust. Without this policy even if everything is setup correctly you will not be able to get to the internet since the default action for a firewall is to deny all traffic.
are you able to from a workstation ping the gateway ip x.x.x.54?
With those items cleaned out, go into the policy section and make sure you have a policy allowing traffic from trust to untrust. Without this policy even if everything is setup correctly you will not be able to get to the internet since the default action for a firewall is to deny all traffic.
are you able to from a workstation ping the gateway ip x.x.x.54?
ASKER
Actually I want to use the web authentication. I use it to open ports to the servers that I want to work on from the outside without leaving them exposed to hackers. I will look at the policy and see what I need to do.
Thanks
Thanks
That wont be a problem, the only reason i suggest taking it off is so you can get the basic setup working, then with that you will be able to build the config to incorporate all the features you need.
ASKER
Under policies there is an entry
source = any
destination = any
service = any
Action is a green check
and it is enabled
To me it looks good
source = any
destination = any
service = any
Action is a green check
and it is enabled
To me it looks good
ASKER
pinging x.x.x.54 didn't work
ASKER
I decided to give something a try. I changed the ip address of the comcast firewall to the same as the gateway address comcast gave me. This made the ip address range after the firewall so it would include my static ips from comcast. The dhcp range does not include the static ips.
I then added a static ip on the 5gt and set it to x.x.x.141, the lowest value of the static ips.
I then went in and added a gateway under the routing > destination and I made it the same as the gateway that I was supplied from comcast x.x.x.54.
I sure there is something wrong with doing it this way but now I do have internet access when I did this and the web authentication address of x.x.x.253, shows the authentication page.
What is your opinion of this solution?
I then added a static ip on the 5gt and set it to x.x.x.141, the lowest value of the static ips.
I then went in and added a gateway under the routing > destination and I made it the same as the gateway that I was supplied from comcast x.x.x.54.
I sure there is something wrong with doing it this way but now I do have internet access when I did this and the web authentication address of x.x.x.253, shows the authentication page.
What is your opinion of this solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the help, I really appreciate it, your help was great
Any time! Please feel free to post new questions whenever you run into issues. We have quite a few Juniper netscreen experts always ready to help.
From untrust to trust. Destination = MIP, service = http, dns, or services of your choosing. Action = permit, logging = on
Hope this helps