Using netscreen to route only public address

  • Hi,

    We just got a netscreen 5GT from an auction website.

    After some testings I realized that untrust and trust cannot be in the same subnet; is it absolutely mandatory ?

    Here’s the situation, we have a range of 64 addresses and i’d like to be able to tell all addresses that the router is now the netscreen but if i put any ip that’s in the same range of the untrust interface it’s telling me that there’s a collision. Changing the trusted interface to any other subnet (like 192.168…) works fine.

    Am I wrong ? How can I setup the interfaces so that i can use IP’s that are public and in the same subnet of the netscreen device ?

    Thanks for your answers,

    Disco :mrgreen:

  • Global Moderator

    Sure you can do it, but you’ll miss a lot of things you have in layer3 mode!

    If you want to try it:

    clear your config.
    place interfaces in V1- zones
    Set an ip on vlan1 interface for managment
    Set management options on V! zones
    Set policies to and from V1 zones

    Rember you can’t do anyting on layer 3 on the interfaces.

  • Hi, after some search I just falled upon this article  :

    Do you think I could setup the firewall in ‘transparent’ mode ? Is it worth trying ?


  • Global Moderator

    I think I’m missing someting. You have only public addresses. We just splited them up in a small and big part, but all addresses are routable. So what’s the natting for?? I’m realy trying to understand what your problem is but I’m missing it. May somebody else can contribute in another words? MaxPipeline for example writes clear ….

  • If someone could help me it be nice !

  • Okay finally got it ‘almost’ working.

    Here’s the setup :
    untrust : x.x.x.132/26 (mip for x.x.x.161 to x.x.x.161 interface trust, .162 to .161 etc.)
    trust : x.x.x.161/27 (nat mode)

    I had to setup ‘nat’ rules in the polices.

    It’s working but it’s not ‘elegent’ first, and secondly i’m not able to use addresses that are in the .128 -> .160 range.

    You suggest subneting untrust to ‘/30’ which makes 1 usable address (.129 is the router) that’s the untrust interface thus
    not being able to use the ‘webui’. After this I don’t know how to subnet the trust interface in order not to loose 32 ips.

    Can I setup untrust to /30 (x.x.x.130/30) and trust to /26 (x.x.x.131/26) in thise case .129 remains the gateway for
    both interfaces but then I cannot ‘mip’ since anything higher than .130 is not in the subnet of the untrust interface.

    This is such a headeach …

    Thanks for your help !

  • Global Moderator

    Your right, I calculated in the wrong subnet but the idea is clear I think?
    Define a / 30 within your /27 range. Make sure not to use the broadcast address of your /30 net and things will be routed!! Make sure policy allow out. If neccesary test with any any any permit ion both directions, that way your sure no policies deny traffic. Then set-up real policy. If things still don’t work do a debug and post the output.

  • switched to ‘home-work’ mode to use e? interfaces.

    You’re suggesting to put the same ip address on both interfaces ?

    set int e? ip

    on the other interface you set (int in DMZ zone?)
    set int e? ip

    If I setup second interface to .160/27 in route mode i’m not able to go in/out from e2 (untrust if)

  • Global Moderator

    You start with set trsut-vr ignore-subnet-conflict
    on int1 you set

    -> set int e? ip  (int in untrust zone)

    Your missing 4 ip’s to use two, but he?

    on the other interface you set (int in DMZ zone?)

    set int e? ip

    your host ip can be between and

    add your default route:

    set route gateway

    set your interface in route mode

    set int e? route

    and set your policy.

    Should work like this.

    If not you could drop a personall messages with real config and and IP’s and I can take a look at it. Also include a “get route” outpu in that case please.

  • thx screenie, tried and didn’t work …

    so, let’s take a concrete example :

    Let’s say we have : available ip’s. is the gateway.

    Now can you tell me exactly what to setup to able to route between trust and untrust interface ?


  • Global Moderator

    When you want to splitup One public range in smaller ranges on two interface you could do the following:

    set vr trust-vr ignore-subnet-conflict

    Then configure whole range on one interface and partial range within the whole range on other interface.

    It shouldn’t be a big problem to route trough the NetScreen!

  • i can’t MIP two public addresses ? otherwise what’s the point of NAT’ing public IP’s ?

    i enabled debug for nat and here’s the error

    ## 2008-01-09 12:02:18 : search gate for if Untrust:x.x.x.129->,1,1,89
    ## 2008-01-09 12:02:18 : in nat_search_hole, no gate found

  • Did you enable ping in the interface section? (Network | Interfaces | Trust | Edit) ?

    I’m going to backtrack and recommend using a MIP instead - it’ll take about 10 seconds and is much easier. Just map one outside IP to one inside IP and you’re done. Much cleaner.
    Network | Interfaces | Trust | MIP | New | put in the outside & inside IPs. Done.

    Debug is a whole other subject, here the .short version…

    “debug ?” shows all the possibilities.
    “debug flow basic” and “debug ike detail” (for VPN) are really useful.
    “undebug all” - To turn off debug
    Best to set a flow filter to focus on traffic you want (and minimize performance hit)
    “set ffilter ?” give options
    Flow filters use an OR algorithm if you set multiple filters
    debug info is sent to the debug buffer.
    “get db stream” gets the buffer (can be redirected)
    “clear db stream” clears the buffer
    "get ff" gets current flow filters
    "clear ff" clears flow filters. Repeat as needed

    For you…
    “clear db s"
    setup a filter
    "debug flow basic"
    generate traffic
    "get db s”

  • of course, i’d be just ‘sooo’ happy if it worked with that simple ‘all permitting’ config; i’ll do security later (that server is not even in production, just testing labs).

    now right, changed to :

    set interface trust ip x.x.x.161/27
    set interface trust nat
    set interface untrust ip x.x.x.132/27
    set interface untrust route
    set interface untrust gateway x.x.x.129
    set vrouter "untrust-vr"
    set route x.x.x.162/32 interface trust
    set vrouter "trust-vr"
    unset add-default-route

    host is set up to :

    iface x.x.x.162 / 27
    gateway x.x.x.161

    and still … not working…

    note : pinging .161 from Internet doesn’t work eighter

    isn’t there any verbose debugging mode to see what’s happening behind the scene ?

  • You need to create real policies
    From trust only allow what is needed outbound. Why expose Windows shares?
    From untrust only allow what is needed inbound - e.g. DNS, SMTP, HTTP, and lock it down to a destination IP.

    Set untrust to route, trust to NAT.
    Use a host route for the server, not a network route, and use an interface…
    set route A.B.C.129 /32 interface trust

  • right, policy is set to :

    permit any to any from trust to untrust
    permit any to any from untrust to trust

    that should work right ?

    trust is set to ‘nat’ mode (if i set it to ‘route’, host in trust side can’t go out)
    untrust is set to ‘route’ mode

    I set up a route on untrust :

    set vrouter "untrust-vr"
    set route x.x.x.160/27 vrouter "trust-vr" preference 20 metric 1

    but guess … still not able to the host from the cold outsid world  😞

  • all you need is policy and a route to the inside IP, no MIP req’d.

  • Thanks for the reply but I don’t want to use private addresses but public address in both side of the firewall, is that possible ?

    As suggested by splitting the 64 pool into two of 32, one each side of the interface (first 32 to untrust, last 32 to trust) and then route traffic between them.

    That’s my point  🙂

  • Great, your config looks fine. Put it back in route/nat mode - this is the easiest.

    If you are using real IPs for the external (not 192.168.x.x) then a MIP would work fine.
    There’s various tradeoffs with VIP, DIP, and MIPs - just depends what you’re doing.

    Just set a MIP to one of your external addresses and map it to an internal address, then create a policy to allow some service to the MIP. Here’s a few lines from my config.

    set interface “ethernet0/0” mip host netmask vr "trust-vr"
    set policy id 3 from “Untrust” to “Trust”  “Any” “MIP(” “DNS” permit

    You  want to get rid of that ANY/ANY from the Untrust to the Trust - that exposes your whole network to the Internet.

    Two MIPs are no big deal, again, depends what you’re doing. A VIP might work for you too.

  • got something working out (this firewall is still dark mystery for me):

    trust x.x.x.161/27 (nat)
    untrust x.x.x.132/27 (route) (default route to isp’s gw)

    polices to permit anything from untrust to trust, and trust to untrust.

    I’m able to ‘go out’ from trust to the outside world but not back from the outside world back to the host.

    • setting both (route) modes, doesn’t work.

    should I add MIP ? MIP’ing two public addresses seems stupid to me.