09-03-2008 03:26 PM
I've been using my 5GTs and NS25 connected to each other with VPN tunnels over DSL for years.
Now I've been mandated to switch over to a Metro Ethernet setup instead of DSL. Now instead of having a direct internet connection everywhere, the 5GT will connect to the NS25 over the Metro Ethernet and then out to the internet from there.
I could really use some help in getting it configured though.
My biggest confusion is on the remote, 5GT side. Should my Metro Ethernet be plugged into the Untrust port? I feel like it's no longer untrusted because it's no longer on the internet, but I can't change the port to Trusted either. Do I have to setup a VLAN to get them to talk to each other?
I could use all the advice someone has to offer.
Solved! Go to Solution.
09-03-2008 03:42 PM
You can use the untrust interface, it is just a name. As it is on a network that you trust now you can have a rule from untrust to trust any any any permit to allow all traffic into the 5GT site from the metro network. If you want you can still use the policies to have some control which might be of benefit.
Put an IP address on the untrust interface that you need to use for the metro network and then a default route to the next hop router.
Do you still need to be doing NAT on the firewall? If not then change the trust interface into route mode, you will need to make sure that everything else in the metro network can route to the 5gt untrust interface for the network at the 5gt site.
Let me know if this isnt what you are trying to achieve. Might be helpful to post a diagram of setup and ip addressing you are trying to achieve.
09-03-2008 04:36 PM - edited 09-03-2008 04:39 PM
Andy, thanks for the quick response.
I have limited access to my drawing tools, so I'm a little embarassed to even post this... but see attached for a quick diagram.
I added the default route to the 5GT remote side.
I've only used the NAT mode before, so I'm not sure all of what would be involved in switching to the Route mode.
Does my diagram jive with what you were thinking?
09-03-2008 04:49 PM
No problem with the diagram, if it can get the info across then its all good
So you would want to set the untrust ip for the 5gt with the address of 192.168.179.3 and a default route to the NS25 ip of 192.168.179.2.
Change the trust interface on the 5gt to Route mode 'set int trust route' or via the Webui under the interface settings
On the NS 25 you will need to create a route for 10.56.151.0 network via eth2 gate 192.168.179.3.
Create a policy on the NS25 that allows traffic from the metro ethernet network to the internet. If the eth2 is in a custom zone you will need to turn NAT-Src on on the policy, to do this go into the advance section of the policy and select NAT-src with egress ip.
You will need to add routes on each firewall for all the other networks in the metro ethernet network, if you have a lot of networks you might want to look at running something like ospf to learn all the networks dynamically.
Give that a go and see if you have any luck.
09-03-2008 05:46 PM
Still no luck. Here are (what I think are) the relevant config lines from each side. See anything missing?
set interface "untrust" zone "Untrust"
set interface untrust ip 192.168.179.3/28
set interface untrust route
set interface untrust gateway 192.168.179.2
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2 from "Unrust" to "Trust" "Any" "Any" "ANY" permit
set route 192.168.101.0/24 interface untrust preference 20
set interface "ethernet2" zone "Trust"
set interface ethernet2 ip 192.168.179.2/28
set interface ethernet2 route
set route 10.56.151.0/24 interface ethernet2 gateway 192.168.179.3 preference 20
09-03-2008 05:58 PM
1) are you missing the gateway IP address of the NS25 for this route entry on the 5GT?
set route 192.168.101.0/24 interface untrust preference 20
2) If you ping from the NS25 is it able to ping untrust interface of the 5GT??? make sure you have ping turned on for that interface on the 5GT
3) If you ping from the NS25 can you ping the trust interface of the 5GT???
3) Can the 5gt ping the ip address of the NS25 use the command 'ping 192.168.179.2 from trust' ???
If we can get connectivity working between the networks working fine then we can get the internet working.
09-03-2008 06:28 PM
1. It won't let you specify the 192.168.179.2 address as the default route because it's the same as the untrust interface IP. However, in the WebUI it shows 192.168.179.2 as the gateway for that route nonetheless.
2&3. Ping is turned on, but the NS25 can't get to either trust or untrust IPs of the 5GT
4. The 5GT can't ping any of the other NS25 side either.
I'm beginning to think it's now configured correctly, but something is wrong with the provider's side. They're supposed to be calling me back soon...
09-03-2008 06:37 PM
Get the connectivity checked, you can also do a debug on the firewall to see if the traffic is getting to the firewall from the other firewall.
To find out how to do a debug, have a look at my post at the top of the Firewall Topic section.
09-03-2008 06:44 PM
The only thing I will toss in here is to check with your provider to see if they require the hard coding of the duplex and speed on the interface. I have a metro ethernet Internet connection in our Australia office and we had issues getting it connected until we matched the speed and duplex settings. They deployed it by dropping a fiber connection, and then they handed off copper with a media converter. We have Metro Ethernet going into a SSG20 and it works just fine.
**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
09-03-2008 09:43 PM
Shadow, thanks for the advice, I checked into that as well.
However, there were some provider issues in the mix it seems. Now that they are corrected I have full connectivity between the two LANs.
Andy, your advice was invaluable. Here's what I took from you to get it working:
1. Add the default route to the 5GT
2. Add the route with the default gateway to the NS25
3. Change the policy on the NS25 to NAT Source Translation
Thanks again for all your help.