Netscreen 5xp



  • Hi,

    I have an old netscreen 5xp that I cant get to access the internet.

    FYI - I’m not a network admin

    if Anyone has a working config that they could post that would be Great!!

    This is what the wizard set up….

    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.2.1/24
    set interface trust nat
    set interface untrust ip 67.170.189.130/22
    set interface untrust route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface trust dhcp server service
    set interface trust dhcp server enable
    set interface trust dhcp server option gateway 192.168.2.1
    set interface trust dhcp server option netmask 255.255.255.0
    set interface trust dhcp server option domainname hsd1.wa.comcast.net.
    set interface trust dhcp server option dns1 68.87.69.150
    set interface trust dhcp server option dns2 68.87.85.102
    set interface trust dhcp server ip 192.168.2.10 to 192.168.2.126
    set interface untrust dhcp-client enable
    set interface trust dip 4 192.168.2.10 192.168.2.100
    set flow tcp-mss
    set domain hsd1.wa.comcast.net.
    set hostname ns5xp
    set dns host dns1 68.87.69.150
    set dns host dns2 68.87.85.102
    set ike respond-bad-spi 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set policy id 3 from “Untrust” to “Trust”  “Any” “Any” “ANY” nat src dip-id 4 permit
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” nat src dip-id 4 permit traffic gbw 10000 priority 7 mbw 10000
    set ssh version v2
    set config lock timeout 5
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit



  • Well, you sorted it already, good stuff……
    some (late) notes 🙂

    @carthman:

    I suspect the “set zone Untrust block” in the config is what caused the issue.

    If you do a “get zone untrust” you should be able to see if it is still enabled or not.

    The untrust zone has the ‘block’ option on by default, and since he’s going from trust to untrust, it’s irrelevant (or should be :))

    The dip id used in the policy ID 1 cannot be correct since the egress interface for that policy is the untrust one, and the dip is on the trust interface. -> remove that dip from the policy, replace with “none, use interface ip” (or s’thing that sounds simmilar.

    Also, your guarenteed and max bandwidth are equal, i’d start of by removing those settings too.
    Let’s get internet working first, you can always brake it by adding fancy stuff later 🙂

    ============

    @marty:

    you cant ping a hostname from the NS.

    (hostname = fqdn in this case (www.google.com)).

    ?
    Sure you can……
    www-> ping www.google.com count 20 from eth2
    Type escape sequence to abort

    Sending 20, 100-byte ICMP Echos to www.google.com [66.102.13.99], timeout is 1 seconds from ethernet2
    !!!

    However, timeshadowrider was pinging from a cmd box, not from a telnet session to the netscreen 🙂



  • I suspect the “set zone Untrust block” in the config is what caused the issue.

    If you do a “get zone untrust” you should be able to see if it is still enabled or not.



  • Ok good to know it worked now…but strange enough we do not know what made it work…hope there was not a cabling issue or some issue from your ISP side.



  • dont know what I did, but I got it working



  • I purchased a console cable and I was able to ping from the device. pinged 4.2.2.1 and it came back 100% so if I have internet on the untrust how do I get it to the trust connection…

    Is there a sample config that I can use? I have been trying the setup guide but it does not match the gui



  • I did remove the Nat and its still not letting me connect.



  • You pinged the hostnames try pinging an IP from the NetScreen, instead of google.com try pinging the IP address from NS, you cant ping a hostname from the NS.

    Also did you try removing the NAT Src from the trust to untrust policy ?



  • Its like I have no gateway:

    IP/Netmask              Gateway            Interface    Protocol          Metric Vsys Configure

    • 192.168.2.0/24        0.0.0.0              trust              C              0            Root  -
    • 10.0.0.0/24            0.0.0.0              untrust            C            0            Root  -
    • 0.0.0.0/0              10.0.0.1              untrust            C          1            Root  -


  • just did a tracert and the response is the same for the most part:

    unable to resolve target system name www.google.com



  • I just did a ping test from the cmd line in windows and the response is:

    ping request could not find host www.google.com



  • I dont know about the ping I can check that later today, but with IE google will not load and MSN Messenger does not login automaticly. I would not think it would be a DNS issues sine in the gui its pulling the DNS from Comcast. I was thinking that its not routing from Trust to Untrust.



  • Your trust interface is already in NAT mode why are you again doing a NAT Src in the Trust to Untrust policy ?

    From the device are you able to ping the internet any ip on the internet ?

    Hope the routing is fine on the device.


 

35
Online

38.4k
Users

12.7k
Topics

44.5k
Posts