Ken, for admin access through all interfaces, the manage sys-ip should indeed be 0.0.0.0 . Besides the "manage sys-ip" there is also a "manager-ip". The manager-ip value tells the NS box which source ip's can make a connection through http, telnet, ssh ... to the box.
In your CLI this should be: set admin sys-ip 0.0.0.0 set admin manager-ip x.x.x.x x.x.x.x I think the ip range of your trusted network is in there by default and you will need to add the external ip from where you need to access the box. I am not sure if 0.0.0.0 0.0.0.0 should work as a manager-ip and I would not advise it anyway. Only allow access from fixed (known) ip's. Of course you will also need to specify which type of remote control you want on which interface. Hope this can help you. Regards, David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of FW-List Sent: woensdag, februari 13, 2002 15:15 To: 'Firewalls' Subject: RE: NetScreen 5xp configuration Unfortunately, due to tight schedules, I had to pass the system on for installation so, follow up with Netscreen tech support will take place today. However, I would love access to further information on Netscreen configurations. This is the first one we have purchased (influenced by many of the recommendations on this list and the need for low cost on this installation). So far, my main impression is that the available documentation needs a lot of help. The installation guide only covers topics that are rather self-explanatory, The reference guide doesn't offer anything more than a two word definition for a one word configuration entry and their knowledge-base is extremely limited. My prior firewall recommendations have been Cisco and Checkpoint so I guess I am jaded by the information available through Phoneboy and TAC. I am hopeful that their telephone support will be as good as has been indicated here so that today's installation will be successful but, am still annoyed at the lack of readily available configuration information. - Live and learn - grab all the available documents before making a recommendation for hardware. Andy - the manage ip is set to 0.0.0.0 but the appliance still drops SSH connections to the external interface. As an experiment, I moved it to a 10.x.x.x block and set untrusted interface to 10.0.0.1 and the manage ip to 10.0.0.2 - works fine. Set the manage ip back to 0.0.0.0 - NFG. Regards Ken -----Original Message----- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 7:20 PM To: 'FW-List' Subject: RE: NetScreen 5xp configuration Have you gotten your issues with the Netscreen resolved - if not, I have a hack doc on how to configure that you might be interested in. Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax � The data furnished in connection with this document is deemed by Clark Systems Support, LLC., to contain proprietary and privileged information and shall not be disclosed or used for the benefit of others without the prior written permission of Clark Systems Support, LLC. -----Original Message----- From: FW-List [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 6:53 PM To: '[EMAIL PROTECTED]' Subject: RE: NetScreen 5xp configuration A little further info - with further logging enabled, I can see the connections being refused to the external interface. However, there doesn't appear to be a method to set a policy for the Firewall itself. -----Original Message----- From: FW-List [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 6:02 PM To: [EMAIL PROTECTED] Subject: RE: NetScreen 5xp configuration Hi Andy, Yes, that's what all the documentation seems to indicate unfortunately, it isn't working. I have even reset back to the factory settings, completed only the basic configuration, and enabled scs... Admin-Settings-enable SCS Interface-Untrusted-Edit-check off SCS ...to no avail. It still refuses access on the external interface while allowing it from the trusted side. Further, through the cli, the "get interface" command shows the trust ip address as the IP address and the Manage IP. However, the untrust interface lists the proper IP Address and 0.0.0.0 under Manage IP. If I attempt to set the Manage IP to the Untrust Interface address and error message specifies that it is not allowed. Very frustrating! Thanks for your input anyway. Ken -----Original Message----- From: Andy Condliffe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 5:28 PM To: FW-List Subject: Re: NetScreen 5xp configuration Hi, You shouldn't need to specify another address, if you tick the "Web-UI" on the untrusted interface page through the gui then it will allow management via the outsside interface. This is all done in clear test (unless you have configured ssl). A better option is to use ssh if you must access from the outside and configure it from the command line. Again you will need to either tick the SCS box or issue the command from the command line (set interface untrust manage scs). As far as inbound services go, you will need to define services before you can use them if they are non-standard, though I have done much of this. Hope this helps. Andy FW-List wrote: > > Hi All, > > > > I have a new Netscreen 5xp and could use a little configuration guidance > > while waiting for a response to my online registration - I haven't been > > able to find anything definitive in the Installer's guide, through google > > searches nor on the Netscreen web site. > > > > When installed, the fw will have a static address for the untrusted > > interface but, only one (that's all the ISP provides). My first problem > > is how to enable remote administration? With the software version > > installed - 2.6.0r1.4 - the interface demands that the manage ip on the > > untrusted interface be different than the Static IP (of course I only have > > the one). I have verified that using a different address for that value > > will allow remote management but, is there no way to access that feature > > with a single external IP? > > > > I can upgrade the OS and access Netscreen technical support tomorrow, > > unfortunately that is when the system is supposed to be installed. If > > anyone has a suggestion on how this can be done, I would be very > > appreciative. > > > > Also, any tips on port forwarding non-standard services (i.e. SMTP works > > but, port 3200 doesn't) to an internal IP address would be helpful. > > However, as long as I can get remote access, the other configuration > > issues can be worked through with Netscreen tech support. > > > > Thanks in advance > > > > Ken Rode > > [EMAIL PROTECTED] > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
