RE: Netscreen 5: Access to System IP with NAT Mode from untrusted side

Wed, 19 Sep 2001 19:30:03 -0700 

Hi Devon,

don't set the system ip address to be on the public/untrusted interface.
Routing will be easier the way you have it. 

The reason you can't connect from the untrusted network to the trusted
interface is because you have a firewall policy that is preventing you (no
mip) - and that is a good thing.  If you need web admin access from the
public/untrusted side short-term - just set telnet and/or web access on the
untrusted interface (check boxes in the gui - interface page) or via cli.
As a long-term solution I would only use ssh to the untrusted side, or
create a vpn tunnel (with nsremote, or another ipsec client)and come in to
the trusted interface.

hope that helps.  let me know if you still are having trouble.

cheers.byron

-----Original Message-----
From: Devon True [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 5:32 PM
To: [EMAIL PROTECTED]
Subject: Netscreen 5: Access to System IP with NAT Mode from untrusted
side


All:

We have a Netscreen 5 in NAT mode. The untrusted interface is 10.10.10.1 
(changed to protect the innocent) and the trusted interface is 
192.168.1.254. The system IP is also 192.168.1.254.

If I am on the trusted side, I can web/telnet to 192.168.1.254. However, if 
I am on the untrusted side, I cannot browse to 192.168.1.254 due to it not 
being in the routing table. I could go to any 10.10.10.0/24 addresses since 
that is in the routing table.

Is it possible for me to map the 10.10.10.1 address to 192.168.1.254 so that

I can configure the Netscreen from the untrusted side? I have tried several 
things, but everything fails.

Another question is, what are the constraints on the system IP address? Does

it have to exist in the trusted interface's IP network? Or can it be an IP 
from the untrusted interface's network?

Thanks for your help!

Devon

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to