Netscreen 5GT Configuration

Archived from groups: comp.security.firewalls (More info?)

"Johan" <johan@utel.dk> wrote in message
news:cba31edf.0406100625.52c0f5de@posting.google.com...
> Hi all
> Can any one of your router guru's tell me how to set up my router so
> it nat's everything from the outside world (untrusted) on port 80 to a
> ip adrs. in a trusted zone, like 192.168.1.x.?
> Could please tell it in a way that I can understand it(30 years old
> but thinks like a 3 year old). I have read all the manuals that I
> could find, but it only made me more confused :-)
> Thanks
> /Johan

First, do you have NAT working on the Trust side? You can do this in two
ways, in one you place the interface into "NAT" mode, and in the other you
have it perform "policy based NAT" where you turn it on via policy
configuration. Let's just go with the interface version. These instructions
are for ScreenOS 5.0, but should be close for prior versions as well. Click
on Network | Interfaces and then Edit for the Trust interface. In the middle
of Basic properties page, you should see "Interface Mode", select NAT and
hit OK. Now all of your trust to untrust traffic should get NAT'ed as it
goes out.

Now, we have to configure the 5GT so that the incoming port 80 traffic goes
to a specific machine. I will assume that you have only one public IP that
you are receiving incoming traffic on. Click on Network | Interfaces and
Edit for the Untrust interface. You will want to create a Virtual IP (or
VIP) for the untrust interface, so now click on VIP at the top of the page
on the line headed Properties. On this page it should say something like
"Add / Modify VIP Entry". Underneath, click the "Same as untrusted interface
IP address" if the incoming port 80 traffic is going to just your single
public IP address (which should already be the IP assigned to your untrust
interface) or you could choose the other option and put in an IP address for
more complicated scenarios. Then click Add. Once you do that, the VIP
properties page should show an entry for your public IP address under the
VIP column, and nothing under the "VIP Services" column. So, now click on
the "New VIP Service" button at the top right of the page. Leave the Virtual
IP as it is, enter "80" as the Virtual Port, click on HTTP (80) as the "Map
to Service" and then enter your private IP (eg, 192.168.1.x) on the "Map to
IP" line. You can enable or disable the "Server Auto Detection" feature as
you see fit. Click on OK.

Once you have a VIP, then you have to create a policy to allow it in. Click
on Policies. Select From | Untrust, To | Trust, and hit the New button.
Leave Source as Any, put Destination as Address Book Entry and find your new
VIP in the drop down list. Put Service as HTTP. And Action as Permit. Then
hit OK. You should now have a permit policy for HTTP traffic to your VIP.

Sorry for the length of the post. This is about as simple as I can make it.
There are gotchas along the way and there are certain things I have assumed.
But if you run into problems just post again. You will have to have a static
IP assigned to the untrust interface or else I don't even believe that the
device will let you configure a VIP on that address. It might, but then you
would have to worry about doing some sort of Dynamic DNS scenario. I do not
believe that the 5GT supports any sort of Dynamic DNS providers with a
built-in updater client, so DynDNS isn't really an option anyway.

Alec

Archived from groups: comp.security.firewalls (More info?)

I have a problem with this setup. While it is easy to setup and I
understand it I get a message when I try to set up the new service
saying

‘Service(port 80) is not available for this VIP’ with the Untrusted
interface IP

Anyone one able to help?
--
chucky
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message257307.html