|
Posted by Shabam on February 27, 2005, 2:56 am
If you were Registered and logged in, you could reply and use other advanced thread options
: quoted-printable
I have a Netscreen 5GT, and it has ABSOLUTELY the worst documentation =
I've ever seen...
I'm trying to figure out how make it do transparent firewalling, for =
some web servers I have at a data center. I don't need any NAT as all =
servers have public IPs.
I read this post:
http://groups-beta.google.com/group/comp.security.firewalls/browse_thread=
/thread/ea119ba2b2a29bc1/d3acf156d7f9069d?q=3Dnetscreen+5gt+transparent&_=
done=3D%2Fgroups%3Fq%3Dnetscreen+5gt+transparent%26hl%3Den%26lr%3Dlang_en=
%26c2coff%3D1%26safe%3Doff%26rls%3DGGLD,GGLD:2003-52,GGLD:en%26sa%3DN%26t=
ab%3Dwg%26&_doneTitle=3DBack+to+Search&&d#d3acf156d7f9069d
Which says:
You need to install your NetScreen in Transparant L2 mode.=20
1. set int vlan1 ip x.x.x.x/yy (use a spare address on your lan this=20
is the address you will manage the firewall with)=20
2. unset int trust ip=20
3. set int trust zone v1-trust=20
4. set int untrust zone v1-untrust=20
5. setup policies allowing traffic e.g set policy from v1-trust to=20
v1-untrust any any any permit.=20
6. setup a default route if you need one set route 0.0.0.0/0 int vlan1=20
gate x.x.x.x=20
7. save the config from RAM to Flash "SAVE"
However I'm stuck here because after doing step 5, I rebooted the =
firewall and now I can't manage it via the web interface anymore. I did =
set the vlan1's IP to 192.168.0.10/24, but still I can't get to it. It =
was working prior to the reboot. Any ideas how to enable it again?
Also, I tried connecting the incoming data cable to the untrust =
interface, and trust 1 to my internal switch (which the web servers are =
attached to). However nothing passes through and traffic isn't routed. =
I didn't do step #6 because I didn't know what that was for. Help?
------=_NextPart_000_0159_01C51C77.FCAC8DA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>I have a Netscreen 5GT, and it has =
ABSOLUTELY the=20
worst documentation I've ever seen...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I'm trying to figure out how make it do =
transparent=20
firewalling, for some web servers I have at a data center. I don't =
need=20
any NAT as all servers have public IPs.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I read this post:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><A=20
href=3D"http://groups-beta.google.com/group/comp.security.firewalls/brows=
e_thread/thread/ea119ba2b2a29bc1/d3acf156d7f9069d?q=3Dnetscreen+5gt+trans=
parent&_done=3D%2Fgroups%3Fq%3Dnetscreen+5gt+transparent%26hl%3Den%26=
lr%3Dlang_en%26c2coff%3D1%26safe%3Doff%26rls%3DGGLD,GGLD:2003-52,GGLD:en%=
26sa%3DN%26tab%3Dwg%26&_doneTitle=3DBack+to+Search&&d#d3acf15=
6d7f9069d"><FONT=20
face=3DArial=20
size=3D2>http://groups-beta.google.com/group/comp.security.firewalls/brow=
se_thread/thread/ea119ba2b2a29bc1/d3acf156d7f9069d?q=3Dnetscreen+5gt+tran=
sparent&_done=3D%2Fgroups%3Fq%3Dnetscreen+5gt+transparent%26hl%3Den%2=
6lr%3Dlang_en%26c2coff%3D1%26safe%3Doff%26rls%3DGGLD,GGLD:2003-52,GGLD:en=
%26sa%3DN%26tab%3Dwg%26&_doneTitle=3DBack+to+Search&&d#d3acf1=
56d7f9069d</FONT></A></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Which says:</FONT></DIV>
<DIV>
<P><A name=3Dmsg_61060164345a37d9></A><FONT face=3DArial size=3D2>You =
need to install=20
your NetScreen in Transparant L2 mode. <BR></FONT>
<P><FONT face=3DArial size=3D2>1. set int vlan1 ip x.x.x.x/yy =
(use a spare=20
address on your lan this <BR>is the address you will manage the firewall =
with)=20
<BR></FONT>
<P><FONT face=3DArial size=3D2>2. unset int trust ip <BR>3. set int =
trust zone=20
v1-trust <BR>4. set int untrust zone v1-untrust <BR>5. setup policies =
allowing=20
traffic e.g set policy from v1-trust to <BR>v1-untrust any any any =
permit.=20
<BR>6. setup a default route if you need one set route 0.0.0.0/0 int =
vlan1=20
<BR>gate x.x.x.x <BR>7. save the config from RAM to Flash=20
"SAVE"</FONT></P>
<P><FONT face=3DArial size=3D2>However I'm stuck here because after =
doing step 5, I=20
rebooted the firewall and now I can't manage it via the web interface=20
anymore. I did set the vlan1's IP to 192.168.0.10/24, but still I =
can't=20
get to it. It was working prior to the reboot. Any ideas how =
to=20
enable it again?</FONT></P>
<P><FONT face=3DArial size=3D2>Also, I tried connecting the incoming =
data cable to=20
the untrust interface, and trust 1 to my internal switch (which the web =
servers=20
are attached to). However nothing passes through and traffic isn't =
routed. I didn't do step #6 because I didn't know what that was =
for. =20
Help?</FONT></P>
<P> </P></DIV></BODY></HTML>
------=
|
|
Posted by Munpe Q on February 27, 2005, 10:56 am
If you were Registered and logged in, you could reply and use other advanced thread options
Step 6 is so that your vlan1 management interface knows how to route
traffic for management only. You set the vlan1 management IP to
192.168.0.10, but if your servers have public addresses and if they
don't know how to get to 192.168.0.10 (using static routes or other
means, it will never reach your firewall for management (review
RFC1918). I believe based on your description that you have a simple
configuration problem by not applying a routable address to your
firewall (same subnet as your webservers) or your servers don't know
how to get to it. Also check your admin settings(get admin) checking
for management IP's, UI port assignments, etc. If you don't plan on
managing the firewall remotely (unlikely) then #6 isn't required, but
you will have to do that once you fix your IP problem.
|
| Similar Threads | Posted | | PIX DMZ Config help | November 5, 2007, 1:07 pm |
| Cisco Pix 506 config | March 31, 2005, 10:00 am |
| Kerio Config | June 29, 2006, 8:13 am |
| pix 506 config change help | March 21, 2007, 8:14 am |
| firewall config | April 15, 2008, 7:17 pm |
| sunscreen config hangs | November 16, 2004, 9:21 am |
| Zone Alarm Config | November 25, 2004, 4:35 pm |
| duplicating config tz170 > tz 170 | April 30, 2005, 7:54 pm |
| config ipcop firewall | December 18, 2005, 5:50 am |
| ASA 5510 ospf config with pix 501 | August 30, 2006, 8:31 pm |
|
XML site map