Trouble with NS 5Gt and a simpl DSL modem



  • Hi there, I really hope someone here can help me.

    I have to deploy some NS 5GT in this configuration:

    Local Lan–(172.200.xx.yy)–>5GT–(public IP or 192.168.2.0/24 if PPPoe is down)–>DSL Modem–>Internet

    here’s my problem:

    When the modem connects to the internet, it gets the Public IP and gives it through integrated DCHP Server to the untrust interface of my 5GT. All fine to this point.

    But i cannot connect to the internet.

    Policy:
    Trust (any) -> Untrust (any) -> Service (any)-> NAT using interface IP

    Routes:
    0.0.0.0/0 int untrust gw PublicIP
    172.200.xx.yy/16 int trust gw 0.0.0.0

    Even if I try to ping a server on the internet, from the Console, I get nothing.

    I’ve tried the same configuration with a DSL router and it works great. But I need it to work with a DSL modem.

    Any ideas?



  • Hi, in general a router always needs a real default gateway to get anywhere. Your PC isnt a router so behaves differently when using the DSL modem - its basically spitting all data not intended for itself onto the LAN which the modem is forwarding. The Netscreen won’t do this.

    Try putting in a default gateway (as you descovered before) by hand and see if it works:

    ‘set interface untrust gateway <ip>’

    Ideally ask your ISP what the default gateway should be being supplied with the DHCP parameters - you would normally expect to get a specific IP.

    I need to set this up for myself soon (using one of my modems in brdge mode) and will see what I get.</ip>



  • Yes but the ISP gateway changes for each new IP my ISP supplies. (I have dynamic IPs) When I get 80.200.229.89 then the gateway is 80.200.229.1 (a.b.c.d -> gw a.b.c.1). My modem doesn’t serve the ISP gw as a DHCP parameter.

    For example:

    If i connect the modem on a PC (WinXP SP2 w/ firewall disabled), i get these IP parameters:

    IP: 80.200.229.89
    Mask:255.255.255.255
    Gw:80.200.229.89 (myself)
    DNS1:195.238.2.22
    DNS2:195.238.2.23

    There’s no place giving the ISP GW (not even in the windows routing table). I had to tracert an IP to get it.

    And it works fine . I can surf through this connection

    If i connect the modem to the 5GT, the 5GT gets these parameters and it doen’t work.



  • Hi, the gateway should not be your own Untrust IP - its usually that as supplied by your ISP.

    Connect using the DSL router and see what default gateway it gets assigned.



  • Here’s what i get:

    ns5gt->get int untrust
    Interface untrust:
      number 1, if_info 88, if_index 0, mode route
      link up, phy-link up/full-duplex
      vsys Root, zone Untrust, vr trust-vr
      dhcp client enabled
      PPPoE disabled
      admin mtu 1500
      *ip 80.200.239.85/32   mac 0012.1eb8.e0f1
      gateway 80.200.239.85
      *manage ip 80.200.239.85, mac 0012.1eb8.e0f1
      route-deny disable
      ping enabled, telnet disabled, SSH enabled, SNMP disabled
      web disabled, ident-reset enabled, SSL enabled
      DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
      OSPF disabled  BGP disabled  RIP disabled  mtrace disabled
      PIM: not configured  IGMP not configured
      bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
                 total configured gbw 0kbps, total allocated gbw 0kbps
      DHCP-Relay disabled
      DHCP-server disabled

    I really don’t understand whats wrong.

    Edit: I can’t ping from console (i tried one of the google ips, tested on an another network)



  • Umm, sob.

    I run all my Netscreens this way, meaning if that is failing then something else is messing things up.

    So, if you do as I suggest (NAT on Trust) and ensure there is no NAT on the policy for sure (or elsewhere) it fails?

    If it does then you need to login and PING out to see where its failing. Generally the only reason that this fails (if the box has a valid real IP on the Untrust, which you say it does) is that you havent set the default gateway - is this being correctly set?

    So, set with Trust interface as NAT and see what parameters have been passed to the 5gt from the modem. Ensure you see the gateway setting in:

    ‘get interface untrust’

    I run my firewalls behind modems with static real IPs so I cant check exactly if my setup differs. Post the result of the above command.



  • I’ve tried it this way but it doesn’t work.  😢



  • Hi,

    It usual to set the Trust interface to NAT mode rather than the Untrust:

    set interface trust ip 192.168.1.1/24
    set interface trust route
    set interface untrust ip 80.200.239.85/32
    set interface untrust nat

    … reverse these so Untrust is Route and Trust is NAT.



  • Here’s my get conf:

    set clock timezone -1
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "remote"
    set admin password "nPe6PRrdLmpDcIBKzsNEOCAtBzPOpn"
    set admin manager-ip 193.190.113.116 255.255.255.255
    set admin manager-ip 192.168.18.3 255.255.255.255
    set admin manager-ip 172.17.13.59 255.255.255.255
    set admin manager-ip 172.200.0.0 255.255.0.0
    set admin manager-ip 192.168.1.0 255.255.255.0
    set admin http redirect
    set admin auth timeout 0
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone id 100 "vpnzone"
    set zone “Trust” block
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “vpnzone” block
    set zone “vpnzone” tcp-rst
    set zone “Untrust” screen icmp-flood
    set zone “Untrust” screen udp-flood
    set zone “Untrust” screen winnuke
    set zone “Untrust” screen port-scan
    set zone “Untrust” screen ip-sweep
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ip-spoofing
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “Untrust” screen syn-frag
    set zone “Untrust” screen tcp-no-flag
    set zone “Untrust” screen unknown-protocol
    set zone “Untrust” screen ip-bad-option
    set zone “Untrust” screen ip-record-route
    set zone “Untrust” screen ip-timestamp-opt
    set zone “Untrust” screen ip-security-opt
    set zone “Untrust” screen ip-loose-src-route
    set zone “Untrust” screen ip-strict-src-route
    set zone “Untrust” screen ip-stream-opt
    set zone “Untrust” screen icmp-fragment
    set zone “Untrust” screen icmp-large
    set zone “Untrust” screen syn-fin
    set zone “Untrust” screen fin-no-ack
    set zone “Untrust” screen mal-url code-red
    set zone “Untrust” screen limit-session source-ip-based
    set zone “Untrust” screen syn-ack-ack-proxy
    set zone “Untrust” screen block-frag
    set zone “Untrust” screen limit-session destination-ip-based
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.1.1/24
    set interface trust route
    set interface untrust ip 80.200.239.85/32
    set interface untrust nat
    set interface untrust mtu 1500
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    unset interface trust manage snmp
    set interface untrust manage ssh
    unset interface vlan1 manage ping
    unset interface vlan1 manage ssh
    unset interface vlan1 manage telnet
    unset interface vlan1 manage snmp
    unset interface vlan1 manage ssl
    unset interface vlan1 manage web
    set interface trust dhcp server service
    set interface trust dhcp server enable
    set interface trust dhcp server option lease 1500
    set interface trust dhcp server option dns1 195.238.2.22
    set interface trust dhcp server ip 192.168.1.10 to 192.168.1.30
    set interface untrust dhcp-client enable
    set flow path-mtu
    set flow tcp-syn-check
    set hostname ns5gt
    set dns host dns1 195.238.2.22
    set dns proxy
    set dns proxy enable
    set ike respond-bad-spi 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set traffic-shaping mode off
    set url protocol sc-cpa
    exit
    set policy id 5 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 5
    exit
    set nsmgmt report alarm traffic enable
    set nsmgmt report alarm attack enable
    set nsmgmt report alarm other enable
    set nsmgmt report alarm di enable
    set nsmgmt report log config enable
    set nsmgmt report log info enable
    set nsmgmt report log self enable
    set nsmgmt report log traffic enable
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set nsmgmt init id 05D431BAA0F103AE0278EE85CBDB797648DBEE2200
    set nsmgmt server primary 193.190.113.116 port 7800
    set nsmgmt bulkcli reboot-timeout 60
    set nsmgmt hb-interval 20
    set nsmgmt hb-threshold 5
    set nsmgmt enable
    set ssh version v2
    set ssh enable
    set scp enable
    set config lock timeout 5
    set dl-buf size 7340032
    set ssl encrypt 3des sha-1
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    I set up the untrust interface in Nat mode.

    The 192.168.2.0/24 DHCP (if PPPoe is down) is probably for administration purposes on the ethernet DSL Modem, because once I get the Public IP, I cannot access to the modem anymore (I have to disconnect the phone line to get a local lan IP or switch my DHCP client to a static IP)

    Notice that i have a NSM server but while the 5GT cannot connect to the internet, he cannot talk to the NSM
    I also have to Create A VPN to my Companys Netscreen 208, once i’ve connected to the Internet. No matter with that, the NSM will do it fine, but I have to finetune my MTU settings for the VPN.



  • Hi, it may be worth cutting and pasting the config script (from Configuratiom/Update/Config file) here so we can see whats what.

    Is the Netscreen set to perform NAT on the internel (trust) interface (as is usual)? If the policy is doing it (from what you say) rather than the inteface that should run too - but I tend to set NAT on the interface and not the policy (it saves setting this on evey outbound policy when you have a long list.)

    Not sure what you mean by having the Untrust (ADSL) interface assigned an internal IP when the link is down - why is that?


 

20
Online

38.4k
Users

12.7k
Topics

44.5k
Posts