Strange issue when trying to connect to Web Admin



  • Hello,

    I have this very strange issue.

    I have configured my Netscreen 25 as a default setup and I can connect to the Web Admin locally at 192.168.1.1. I am just setting up the NS 25 on my home LAN in a test environment (LAN only), but my actual Internet router is a cheap Linksys. I forward the Linksys port 80 and port 443 to the Netscreen’s private IP, but I cannot connect externally. The strange thing is I think this worked before, but I cannot seem to get it working at all anymore. I have tested the linksys port forwarding, and if I put any other device at that same IP behind the linksys, then it works. The Netscreen’s trust port is set for admin and the trust port is hooked directly to one of the Linksys firewall’s extra switch ports. It almost seems that the Netscreen is for some reason blocking traffic for the admin interface to 192.168.1.1, when it is coming from another subnet (port forwarded from Linksys NAT), although I wouldn’t think that it should even be able to recognize that it originated from an external IP since the Linksys already translated NAT before it sent the data there.

    Any Ideas??

    I already reset both devices to factory defaults.
    I have the latest OS version as of the date of this post.

    My config is below:

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "ns"
    set admin password "nG+HE6ruGY6AcxQN/sDFCqItAMEMyn"
    set admin http redirect
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “DMZ” tcp-rst
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “ethernet1” zone "Trust"
    set interface “ethernet2” zone "DMZ"
    set interface “ethernet3” zone "Untrust"
    unset interface vlan1 ip
    set interface ethernet1 ip 192.168.1.1/24
    set interface ethernet1 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet1 ip manageable
    set interface ethernet1 manage mtrace
    set interface ethernet3 manage web
    set interface vlan1 manage mtrace
    set interface ethernet3 dhcp client enable
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set hostname ns25
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set ike respond-bad-spi 1
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol sc-cpa
    exit
    set policy id 1 from “Untrust” to “Trust” “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 2 from “Trust” to “Trust” “Any” “Any” “ANY” permit
    set policy id 2
    exit
    set policy id 3 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
    set policy id 3
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit



  • For starters try disabling HTTPS redirect. See if you can connect via port 80. If that fails then issue is likely on the Linksys. If that works then perhaps there is issue with HTTPS redirect. Try running debug flow basic, debug ssl basic and debug admin all. Those may give a clue as to why it fails.


 

26
Online

38.4k
Users

12.7k
Topics

44.5k
Posts