Need Advice on NetScreen 5xP - Network

This is a discussion on Need Advice on NetScreen 5xP - Network ; I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet access. Been having some issues with loss of signal and cable company today came out and re-strung a new line to the building and a replacement modem. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Need Advice on NetScreen 5xP

  1. Need Advice on NetScreen 5xP

    I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
    access. Been having some issues with loss of signal and cable company today
    came out and re-strung a new line to the building and a replacement modem.

    Could NOT get data flow after the new modem was installed. I could connect
    the new modem directly to a laptop and connection was possible. Put that
    same modem on the router no connection. I finally would up putting the
    'original' modem back on line and had immediate connectivity. The
    router/firewall is apparently tied into the the MAC (?) on modem A? How do I
    change this?
    My config settings are:
    Remote Management Console
    login: administrator
    password:
    ns5xp-> get config
    Total Config size 3416:
    set clock timezone -5
    set vrouter trust-vr sharable
    unset vrouter "trust-vr" auto-route-export
    set service "ICA" protocol tcp src-port 1024-65535 dst-port 1494-1494
    set service "ICA Browser" protocol udp src-port 1024-65535 dst-port
    1604-1604
    set service "RDP" protocol tcp src-port 1024-65535 dst-port 3389-3389
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth-server "DefL2TPAuthServer" id 1
    set auth-server "DefL2TPAuthServer" account-type l2tp
    set auth default auth server "Local"
    set admin name "administrator"
    set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    set admin mail alert
    set admin mail server-name "mail.cpcaa.net"
    set admin mail mail-addr1 "xxxxxxxxxx.net"
    set admin mail mail-addr2 "xxxxxxxxx.net"
    set admin mail traffic-log
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    --- more ---
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "MGT" block
    set zone "VLAN" block
    set zone "VLAN" tcp-rst
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ip-spoofing
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ip-spoofing
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set zone "Untrust" screen ip-sweep threshold 30000
    --- more ---
    set zone "V1-Untrust" screen ip-sweep threshold 30000
    set interface "trust" zone "Trust"
    set interface "untrust" zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.0.1/24
    set interface trust nat
    set interface untrust ip xxx.xxx.xxx.xxx/xx
    set interface untrust route
    set interface untrust gateway xxx.xxx.xxx.xxx
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface untrust manage ping
    set interface untrust manage telnet
    set interface untrust manage web
    set interface untrust vip untrust 1494 "ICA" 192.168.0.20
    set interface untrust vip untrust 3389 "RDP" 192.168.0.10
    set interface trust dhcp server service
    set interface trust dhcp server auto
    set interface trust dhcp server option gateway 192.168.1.1
    set interface trust dhcp server option netmask 255.255.255.0
    --- more ---
    set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
    set flow tcp-mss
    set hostname ns5xp
    set address "Trust" "XXXXX Network" 192.168.0.0 255.255.255.0
    set ike respond-bad-spi 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
    count
    set policy id 1 from "Untrust" to "Trust" "Any" "VIP::1" "ICA" permit log
    count

    set policy id 3 from "Untrust" to "Trust" "Any" "VIP::1" "ICA Browser"
    permit l
    og count
    set policy id 4 from "Untrust" to "Trust" "Any" "VIP::1" "RDP" permit log
    count

    set ssh version v2
    set config lock timeout 5
    set snmp name "ns5xp"
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    ns5xp->



  2. Re: Need Advice on NetScreen 5xP


    "vanHelsing" wrote in message
    news:10i78hil2874741@corp.supernews.com...
    > I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
    > access. Been having some issues with loss of signal and cable company

    today
    > came out and re-strung a new line to the building and a replacement modem.
    >
    > Could NOT get data flow after the new modem was installed. I could connect
    > the new modem directly to a laptop and connection was possible. Put that
    > same modem on the router no connection. I finally would up putting the
    > 'original' modem back on line and had immediate connectivity. The
    > router/firewall is apparently tied into the the MAC (?) on modem A? How do

    I
    > change this?


    There is no way to permanently tell the NS about a specific MAC on the
    modem. But if you didn't power cycle the unit it could have still an arp
    entry for that IP at the other modem MAC. So when you plug in the new
    modem, do a "get arp" at the command line an you'll see the entry, if it's
    not the right MAC do a "clear arp" and it will relearn it with the new one
    as soon as data tries to flow. Since you appear to have a static untrusted
    IP config, the bad arp entry could cause your issue whereas if you had PPPoE
    that couldn't happen.

    -Russ.




  3. Re: Need Advice on NetScreen 5xP

    thank you....I did power cycle the unit and the modem....a couple of times
    each....but I will try command line process


    "Somebody" wrote in message
    news:A92Vc.51615$vO1.266383@nnrp1.uunet.ca...
    >
    > "vanHelsing" wrote in message
    > news:10i78hil2874741@corp.supernews.com...
    > > I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
    > > access. Been having some issues with loss of signal and cable company

    > today
    > > came out and re-strung a new line to the building and a replacement

    modem.
    > >
    > > Could NOT get data flow after the new modem was installed. I could

    connect
    > > the new modem directly to a laptop and connection was possible. Put that
    > > same modem on the router no connection. I finally would up putting the
    > > 'original' modem back on line and had immediate connectivity. The
    > > router/firewall is apparently tied into the the MAC (?) on modem A? How

    do
    > I
    > > change this?

    >
    > There is no way to permanently tell the NS about a specific MAC on the
    > modem. But if you didn't power cycle the unit it could have still an arp
    > entry for that IP at the other modem MAC. So when you plug in the new
    > modem, do a "get arp" at the command line an you'll see the entry, if it's
    > not the right MAC do a "clear arp" and it will relearn it with the new one
    > as soon as data tries to flow. Since you appear to have a static

    untrusted
    > IP config, the bad arp entry could cause your issue whereas if you had

    PPPoE
    > that couldn't happen.
    >
    > -Russ.
    >
    >
    >





  4. Re: Need Advice on NetScreen 5xP


    "vanHelsing" wrote in message
    news:10ijmujhiq39jfc@corp.supernews.com...
    > thank you....I did power cycle the unit and the modem....a couple of times
    > each....but I will try command line process


    If you power cycled it, it won't help to flush arps.

    When your PC connects through the modem, observe the network parameters.
    Then connect your pc to the old modem and obsever the network parameters.
    Now try each on the NS and check out the untrust interface properties for
    each. Look for discrepencies between how the pc talks to the new modem and
    how the NS talks to the new modem. I suspect a different network or DHCP
    setup on the new modem vs a static setup on the NS that works for the old
    but not the new. Guessing still given limited info, but that's a start.

    -Russ.



+ Reply to Thread