Hi all
I hope someone can help. I have 2 problems that I hope someone can
point me in the right direction with. I will try and outline the way
the network is setup and what I am trying to achieve
The Netscreen is configured as a transparent firewall
Networks on the LAN - 192.168.100.0/24 (Server subnet) &
192.168.26.0/24 (Client subnet)
Current setup:
Internet --> Public IP (Static) on a Dialer i/f --> ROUTER (Cisco 837)
--> 837 Ethernet0 192.168.100.7 (NAT'd) --> Netscreen25 --> Cisco 3750
LAN

I have a default route on the 3750 that points to 192.168.100.37, this
is a Cisco PIX 515e
For redundancy I want to be able to change this default route to
192.168.100.7 which would then redirect all internet traffic out the
alternate / backup Internet link as shown above
From my 192.168.100.0 subnet I have no problems pinging the ethernet
interface of the router through the Netscreen
I cannot ping this thou from the 192.168.26.0 subnet, of course I can
ping everything else in the 192.168.200.0 subnet!
On my 3750 I have set a static route for some obscure website and from
the 192.168.100.0 subnet I can access it so I know that it basically
works, this doesn'rt work however from the 192.168.26.0 subnet, of
course if I can't even ping it I wouldn't expect it to work

Another problem I have seen and I am unsure if this is a result of
adding static routes on the Netscreen to the 192.168.26.0 subnet is
that one server in particular became inaccessible
I could ping it from VLAN26 on the 3750 but not from workstations on
the 192.168.26.0 subnet.
It seems to create either a routing loop or somehow posions the ARP
Cache.

Here is the 837 Config
Current configuration : 2080 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname aff_837
!
logging queue-limit 100
logging buffered 4096 debugging
enable password 7 105C061616031719
!
clock timezone AEST 8
ip subnet-zero
no ip source-route
ip domain name affoods.com.au
ip name-server 203.161.127.1
ip name-server 203.153.224.42
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
vpdn enable
!
no ftp-server write-enable
!
interface Null0
no ip unreachables
!
interface Ethernet0
ip address 192.168.100.7 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
description Amcom VPN
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password xxxxx
!
ip nat inside source list 23 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 2 remark vty access list
access-list 2 permit asubnet
access-list 2 permit asubnet
access-list 2 permit asubnet
access-list 5 permit any
access-list 23 permit 192.168.100.0 0.0.0.255
access-list 23 permit 192.168.26.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map clear-df permit 10
match ip address 5
set ip df 0
!
snmp-server community public RW
snmp-server community private RO
snmp-server location AFF Balcatta
snmp-server contact AFF IT Dept
snmp-server system-shutdown
snmp-server enable traps tty
!
line con 0
exec-timeout 60 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

Netscreen Config

Total Config size 3118:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock "timezone" 8
set admin format dos
set admin name "admin"
set admin password passwd
set admin auth timeout 10
set admin auth server "Local"
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level warning destination console
unset log module system level emergency destination onesecure
unset log module system level alert destination onesecure
unset log module system level critical destination onesecure
unset log module system level error destination onesecure
unset log module system level warning destination onesecure
unset log module system level notification destination onesecure
unset log module system level information destination onesecure
unset log module system level debugging destination onesecure
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "ethernet1" zone "V1-Trust"
set interface "ethernet2" zone "V1-DMZ"
set interface "ethernet3" zone "V1-Untrust"
set interface vlan1 ip 192.168.100.5/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
unset interface ethernet1 manage ping
unset interface ethernet1 manage scs
unset interface ethernet1 manage telnet
unset interface ethernet1 manage snmp
unset interface ethernet1 manage global-pro
unset interface ethernet1 manage ssl
unset interface ethernet1 manage web
set interface v1-untrust manage ping
set domain affoods.com.au
set hostname aff_ns25
set ntp server 192.168.100.10
set ntp interval 60
set snmp name "aff_ns25"
set ike policy-checking
set ike respond-bad-spi 1
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 0 name "Created by policy wizard" from "V1-Trust" to "V1-
Untrust" "Any" "Any" "ANY" Permit
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.100.10
set dns host dns2 192.168.100.11
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Any suggestions on how I can improve this and / or access the
Netscreen from the 192.168.26.0 subnet would be welcome

If you require any further info, post it or email me
scootyjthompson@gmail.com

Kind regards
Scott