Basic home configuration setup with wireless router behind NetScreen FW



  • I have a home network with a Linksys wireless router and NAS (Network storage) behind it. My service provider is Comcast cable.
    I also have a netscreen HSC (much like the NetScreen 5GT, but with a few limitations) which I would like to put behind it for VPN Termination (unless I can get Dynamic DNS running on the HSC).(Unless anyone here can really tell me that I can assume that my front-facing router address will really seldom change, and I be should be putting the HSC in front).  I’d actually kind-of-prefer to have my firewall device come first.

    The HSC has worked fine with its limited web interface, and full functionality seems to be pretty much available via telnet / ssh.  I haven’t had it on a network yet, just plugged into a hub and connected to it to check that it works.

    I would like to place the NetScreen HSC behind my linksys router, and configure it to allow basic VPN operation. 
    I would appreciate basic configuration advice, which will greatly reduce the amount of playing-around I may have to do to fix any basic mistakes.  Even better - is there a canned script / configuration anyone has that will do the job for me?

    • I know I will have to pass the appropriate port/s through from the router to the NetScreen for the VPN connection.
    • The HSC would rely upon the linksys router for HDCP
    • The router will need proper route setting data to pass data to / from the HSC
    • The HSC will need proper routing config. to send data to / from the linksys.  I will also want to be able to access the network storage / other systems hanging off the back of the linksys via the VPN.
    • I will still want normal, local linksys wireless clients to connect as they have.

    I figure the best way to go would be for the device right after the cable model (presumably the linksys) to have an inside address of 192.168.1.1, and the outside address of the HSC would be 192.168.2.1.  Unless there is a better way for me to do this using HSC in transparent mode (which I understand may not be an actual option - I understand the HSC may not support transparent mode).

    General advice on the approach and options would be appreciated.  I would also like eventually to set up another low-end NetScreen device at another location and establish a tunnel to this device, making for one effective network that I could connect into. I’m not planning to do this all now, but would like a “growable” approach.  I’m also doing all this on a budget, so if I need another firewall, I’d like to go with a used 5XT or similar off-of-ebay.

    Thank you-

    Sam

    Sam Nitzberg



  • hi there,

    I’m coming in late for the party sorry :mrgreen:!  Did you guys get this setup working?
    I have almost identical setup and I plan on setting it up sometime soon.
    My setup very similar below:

    CM <>FW<>Dlink WR <> Switch <> PCs
    I plan to have FW 5GT hand out DHCP and turn it off the Dlink’s side.



  • Thanks for the help.  I have made some progress, and my configuration file is below.

    With this configuration file, I can plug my firewall behind my cable modem, and plug a computer into the firewall, and establish connectivity to the Internet.
    Now, I need to perform the next step:
    Plug the firewall into the cable modem, and connect my Linksys wireless router to the Trusted side.
    Then, my local systems can plug into the wireless router, or connect wirelessly.

    My goal is to have this type of configuration:

    ISP
    –—
    NS-HSN: Untrusted Side: DHCP to acquire address / DNS info
    NS-HSN: Trusted Side: IP address = 192.168.2.2

    Linksys: WAN Interface: IP=192.168.2.1Gateway = 192.168.2.2   
    Linksys: Mode set to Router Mode (as opposed to Gateway Mode)
    DNS: Set to point to : 192.168.2.2  DHCP Server: ON

    Cable: Linksys WAN side interface to NS-HSC Trusted Interface (Standard cable - Not crossover)

    I hooked this up, and wasn’t acquiring DHCP / IP addresses from clients behind the linksys router.  I may have made a small mistake, but would appreciate input based on what appears so far.

    On the NS-HSC, I’m pretty sure that this line is no good:
    set interface trust dhcp server option gateway 192.168.2.1
    I think that I should set it to 192.168.2.2 – so that if I plug any gear into the NS-HSC, it can acquire a 192.168.2.x address.

    I’m not presently concerned with commands related to the Antivirus, X.509 certificates, or modem settings… I will happily add detail or try to clarify any of this.

    Any advice would be appreciated…

    Thank you,

    Sam
    Sam Nitzberg


    nshsc-> get config
    Total Config size 3409:
    unset hardware wdt-reset
    set clock timezone 0
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set admin name "netscreen"
    set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.2.1/24
    set interface trust nat
    set interface untrust ip 68.38.170.126/22
    set interface untrust route
    set interface untrust gateway 68.38.168.1
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface untrust manage ssh
    set interface untrust manage telnet
    set interface trust dhcp server service
    set interface trust dhcp server auto
    set interface trust dhcp server option gateway 192.168.2.1
    set interface trust dhcp server option netmask 255.255.255.0
    set interface trust dhcp server option domainname hsd1.nj.comcast.net.
    set interface trust dhcp server option dns1 68.87.64.146
    set interface trust dhcp server option dns2 68.87.75.194
    set interface trust dhcp server ip 192.168.2.100 to 192.168.2.199
    set interface untrust dhcp-client enable
    set flow tcp-mss
    set domain hsd1.nj.comcast.net.
    set hostname nshsc
    set dns host dns1 68.87.64.146
    set dns host dns2 68.87.75.194
    set ike respond-bad-spi 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 0
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set nsmgmt report proto-dist enable
    set nsmgmt report statistics ethernet enable
    set nsmgmt report statistics attack enable
    set nsmgmt report statistics flow enable
    set nsmgmt report statistics policy enable
    set nsmgmt report alarm traffic enable
    set nsmgmt report alarm attack enable
    set nsmgmt report alarm other enable
    set nsmgmt report alarm di enable
    set nsmgmt report log config enable
    set nsmgmt report log info enable
    set nsmgmt report log self enable
    set nsmgmt report log traffic enable
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set ssh version v2
    set config lock timeout 5
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    nshsc->



  • Thank you !

    I’ll let you know how it goes… probably about a weeks before I post again.

    Thanks–

    Sam



  • Hello,

    The last HSC I setup was via the CLI.  What version of code are you running?  I simply downloaded the HSC Admin Guide and entered some commands in to setup the box.  In your scenario, I would setup the HSC at the permiter and configure your Untrust Interface for DHCP.  This should allow your HSC to pick up an IP from your Comcast Cable Mode.  I would then setup your Trust IP with a 192.168.2.1 address.  What I did at home was configure my Linksys Wireless Router behind my 5GT and disabled the Firewall.  You might want to do the same.  You can then setup an WAN IP on the Linksys to 192.168.2.2 and an internal of 192.168.1.1 (DHCP 192.168.1.5 - 10).

    If you need help with the CLI, just let me know.  Hope this helps.


 

38
Online

38.4k
Users

12.7k
Topics

44.5k
Posts