Link to home
Start Free TrialLog in
Avatar of kareed80
kareed80

asked on

Configuring a Netscreen 5gt to work with Comcast business class modem

Hi,
We are currently using cbeyond as a network supplier.  We have several fixed ips with them and we are using a 5gt firewall after their network device.  Several of the fixed ips are configured to go to different servers in the building using the 5gt firewall and mapped ips.

We have just signed up to use comcast's business class to get faster speeds.  We have another 5gt firewall that I want to put after the comcast firewall.  Their service also comes with several fixed ips and I want to setup the second 5gt similar to the original 5gt and configure the comcast ips to replace cbeyond ips.

I have a basic knowledge about these devices but this is over my head.  

How do I configure the comcast device to send the different ips to the 5gt firewall?  It has dhcp and dns stuff that can be turned off and I don't know if I should. I'm not sure if I need to map each of the incoming ips to the new firewall.  I am at a loss.  

I then am not sure how to go about setting up the 5gt.  Once I have the basics setup I don't have any trouble with setting policies and mapping the ips.

Another question is can these two incoming lines be part of the same network?  I would like to keep the original 5gt setup for emergencies since we aren't getting rid of the cbeyond network.

Thanks, I hope some one can help.
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

What you want to do is configure the first comcast ip on the untrust interface of the 5gt. The set up the default route to point to the gateway ip of the block from Comcast. Finally you can then edit the untrust interface and in the  section for MIP (mapped ips) you can then map any of the additional ip from comcast to private ips of your servers. you will want to create policies to then allow trafffic on the MIPS.

From untrust to trust. Destination = MIP, service = http, dns, or services of your choosing. Action = permit, logging = on

Hope this helps
Avatar of kareed80
kareed80

ASKER

I'm not sure what you mean by this comment "The set up the default route to point to the gateway ip of the block from Comcast."

Comcast gave me gateway number of xxx.xxx.xxx.54 and a range of xxx.xxx.xxx.241-xxx.xxx.xxx.253
I'm not sure what the gateway number would be used for.  It sounds like I should setup the xxx.xxx.xxx.241 to the untrust of the 5gt.  

One thing I am wondering is the dhcp of the modem.  Do just I let the modem handle dhcp automatically between the modem and the 5gt and ignore it?  I wasn't sure if this is something I should worry about.

I am no longer at work so I will try it tomorrow.
Thanks
If you wish to use your static IP addresses, you will need to configure the first one on the untrust interface. You do not have to disable DHCP on the modem. I infact leave my DHCP enabled and connect other equipment like VOIP server to the modem.

After configuring a static IP, unlike DHCP the default gateway is not configured for you on the juniper. You will need to go into Networking > Routing > Destination and add a new route as follows

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interace

This will allow you to then route to the internet from inside your network.
Sorry for being slow.

Here is where I am confused.  Comcast gave me a gateway of x.x.x.54 and behind the comcast firewall, the firewall  sets the ip range to be 10.1.10.x . The gateway to the comcast firewall becomes 10.1.10.1.  If I go to the 5gt and look at the routers it has a route of

IP/Netmask = 0.0.0.0/0
gateway = 10.1.10.1
interface = untrust interface

Do I do anything with the outside gateway of x.x.x.54? Do I add it as another route?



When I go and look at the interfaces I see one that is
Name = untrust
Ip/Network =  10.1.10.11/24
Zone = untrust

Do I add the first comcast static ip to the list as another interface?



Most of what is throwing me is the interaction between the comcast firewall and the 5gt and the 10.1.10.0 ips.

Thanks, your help is greatly appreciated.
What you are seeing is normal. Comcast modems are configured with a DHCP server handing out 10.1.10.x/24 if you plug in a computer or router using DHCP to the comcast modem. you will get an ip 10.1.10.23 for example with a gateway of 10.1.10.1

But to use the static IP address, you have to turn off dhcp on the untrust interface (on the netscreen not the comcast); and configure your static IP that was provided by comcast. once the static IP is configured it needs a gateway to route to the internet. This gateway is the x.x.x.54.
if you go to (in the netscreen) Network > Routing > destination configure a new gateway with the following

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface

You will then be able to route to the internet using the public IP address and gateway. If you see the old route (the one from DHCP) check if it has a '*' on the left side. '*' symbolizes active route. If you see the '*' power cycle the netscreen to clear it
It should clear automatically once untrust is configured as static but depending on your firmware version sometimes the netscreen could take 10 to 15 minutes to clear that route it obtained from DHCP.

Hope i cleared things up. It may look confusing at first until you actually see it working. Once you do it will all make sense :)
I am looking forward to this making sense.  Maybe a hammer.

Ok this is what I did.
Under interfaces > basic  I put in the following
Static IP
IP Address/Netmask  x.x.x.241  //the lowest ip comcast supplied for the fixed ips
Manage IP  x.x.x.54

WebAuth   x.x.x.253




Under Network > Routing > destination  I put the following

IP/Netmask = 0.0.0.0/0
gateway = x.x.x.54
interface = untrust interface


At this point I still can't get access to the internet.  I am wondering if I am missing the gateway address of the comcast firewall 10.1.10.1 somewhere.

Thanks again.
under interfaces you can erase the manage IP and let it configure the default manage ip (x.x.x.241) this is the ip address that you can connect to from the outside to load the webui or telnet to the console. Also erase the WEbAuth IP since that is used for configuring the netscreen to authenticate a user before they use a specific policy (configured with webauth)

With those items cleaned out, go into the policy section and make sure you have a policy allowing traffic from trust to untrust. Without this policy even if everything is setup correctly you will not be able to get to the internet since the default action for a firewall is to deny all traffic.

are you able to from a workstation ping the gateway ip x.x.x.54?
Actually I want to use the web authentication.  I use it to open ports to the servers that I want to work on from the outside without leaving them exposed to hackers.  I will look at the policy and see what I need to do.
Thanks
That wont be a problem, the only reason i suggest taking it off is so you can get the basic setup working, then with that you will be able to build the config to incorporate all the features you need.
Under policies there is an entry
source = any
destination = any
service = any
Action is a green check
and it is enabled

To me it looks good
pinging x.x.x.54 didn't work
I decided to give something a try.  I changed the ip address of the comcast firewall to the same as the gateway address comcast gave me.  This made the ip address range after the firewall so it would include my static ips from comcast.  The dhcp range does not include the static ips.

I then added a static ip on the 5gt and set it to x.x.x.141, the lowest value of the static ips.

I then went in and added a gateway under the routing > destination and I made it the same as the gateway that I was supplied from comcast x.x.x.54.

I sure there is something wrong with doing it this way but now I do have internet access when I did this and the web authentication address of x.x.x.253, shows the authentication page.

What is your opinion of this solution?
ASKER CERTIFIED SOLUTION
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all the help, I really appreciate it, your help was great
Any time! Please feel free to post new questions whenever you run into issues. We have quite a few Juniper netscreen experts always ready to help.