|
Posted by on June 1, 2005, 9:15 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I'm trying to help a friend configure a Netscreen 50 in his small
office lan. The way they want the setup to work :
Router ---- Netscreen 50 ----- Internal networks
[transparent] 10.0.1.0/24
[l2 mode ] 10.0.12.0/24
10.0.10.0/24
The router is setup in transparent mode because no renumbering can take
place :
Name IP Address Zone MAC VLAN State
VSD
eth1 0.0.0.0/0 Null 0010.dbff.2000 - D
0
eth2 0.0.0.0/0 V1-Trust 0010.db92.b385 - U
-
eth3 0.0.0.0/0 V1-Untrust 0010.dbff.2060 - U
0
eth4 0.0.0.0/0 HA 0010.db92.b387 - U
-
vlan1 10.0.12.70/24 VLAN 0010.dbff.20f0 1 U
0
Devices on the internal network on 10.0.12.0 can see the firewall, but
devices on other subnets cannot (although they are on the same physical
network.) The netscreen can only see devices on 10.0.12.0/24 :
===
juns01(M)-> ping 10.0.12.183
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.0.12.183, timeout is 2 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/2/4 ms
juns01(M)-> ping 10.0.1.4
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.0.1.4, timeout is 2 seconds
......
Success Rate is 0 percent (0/5),
===
... despite the fact that they are on the same bit of wire. I can
ping the management IP from both networks (both are setup to be able to
in 'set admin manager-ip' and the V1-Trust zone and vlan1 both have
'ping' available as a management option).
What's wrong here, please? I have tried to setup the routing table to
show that these subnets are on the same network (to no avail):
juns01(M)-> get route
untrust-vr (0 entries)
--------------------------------------------------------------------------------
C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP
iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1
E2 - OSPF external type 2
trust-vr (4 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr
Vsys
--------------------------------------------------------------------------------
* 7 10.0.1.0/24 vlan1 0.0.0.0 S 20 1
Root
* 2 10.0.0.0/8 vlan1 10.0.1.1 S 20 1
Root
* 3 10.0.12.0/24 vlan1 0.0.0.0 C 0 0
Root
* 8 10.0.10.0/24 vlan1 0.0.0.0 S 20 1
Root
In the cisco world, I would add the other subnets as 'secondary'
addresses on these interfaces, but this does not seem to be an option.
Please help,
BR
AS
|
|
Posted by Sintec on June 9, 2005, 12:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
The diagram is slightly confusing. Firstly the firewall's vlan1
interface has been given a /24 subnet so unless you specify a
downstream gateway address on the 10.0.12.x network the netscreen will
never be able to ping these addresses.
I.E Route number 2 states a gateway of 10.0.1.1 but the netscreen only
understands 10.0.12.x/24 so it can never reach this gateway.
You could change the netmask on the firewalls vlan1 interface to /16 so
it covers all 10.0.x.x networks.
Delete all the routes you added as they are incorrect.
Dave Sinclair
http://www.sintecuk.co.uk
NetScreen/Juniper Authorised Instructor
|
| Similar Threads | Posted | | Transparent mode in NS 5GT (Port mode Extended) | April 27, 2006, 3:41 am |
| Fortigate DMZ in transparent mode | November 20, 2007, 11:46 am |
| Check Point Transparent Mode | October 2, 2006, 12:11 pm |
| "Transparent" Mode in IPCop / smoothwall / MNF (real IP inside firewall) | July 21, 2005, 11:43 pm |
| Netscreen 25 - transparent firewall | May 15, 2006, 4:28 pm |
| Netscreen Transparent Firewall broadcast traffic? | February 27, 2005, 5:49 pm |
| Netscreen 5GT in Extended Mode | May 17, 2005, 8:53 pm |
| Netscreen 5GT VIP's and Bridge Mode | March 1, 2005, 4:51 pm |
| Transparent (bridge) firewall | November 15, 2004, 7:11 pm |
| IPCop and transparent proxy | September 13, 2005, 6:31 pm |
|
XML site map