Screen OS

Greetings - on a netscreen ns 5gt firmware of 5.3.0r4.0 we have a policy that would let any on unstrust to be able to access a server in the trusted zone with portforwarded.

I have the policy created as source address of any and a destination of a public ip that was given by the isp they gave us a handful of ip's one of them i assigned to the firewall's untrust and then i took another ip and setup the mentioned policy.

the destination is a public ip and provided the services i wish to have access to. i clicked the advanced button. then checked the "destination translation" and in the "translate to ip" field i entered the 192.168.2.10 (ip of internal server)

Worked like a champ for about 2 years. Then the location decided to switch isp. I simply edited that policy to reflect the new public ip's

now I cannot ping that public ip to access the internal server as mentioned above..

any hints or tips to resolve? this seemed straight forward.

You should be able to just change the relevant addresses on the interfaces and policies for the change to take effect.

I can think of two possibilities.

1-did you install the new default route and remove the old one from routing?

2-your full assignment may not be properly configured on the isp. I have run into situations before, especially on dsl lines with static accounts, where the public ip range is not correctly delivered to the site.

• You can test this by removing the firewall and putting your inbound isp cable into a laptop. 
• Then manually configure all of your public ip addresses one at a time as the static ip of the computer. 
• Then confirm that you can access the internet.

DOHH! I think its number 1.

Can you/anyone provide a refresher on step by step for that?

I don't use version 5 so I'm not sure where they have it in the menu.

In version 6 the path is

Network - Routing - Destination

Just remove the old 0.0.0.0/0 route to the old gateway and install the new one.

That was too easy.. yes it was located in the same spot. i added that route and its active but still no reply from a ping, yes the ICMP-ANY service is also added.. 😞 Seems soo close but yet so far away

Is internet access working from the trust side connections?

Yes internet is working fine from the trust side of the network and so is site to site VPN's which are also policy based.

This seems so simple.. Gosh It has to be something silly..  I appreciate your replies.

Are you public ip assignments all from the same subnet, and in the same subnet as the default route?

Was this also the case on the original setup?

If you have one public ip for the interface and a separte range assigned for the servers the setup is different than if a single range is used for both.

In other words, is the ip assignment of your new isp in the same "format" as the original one you are using as the template?

If i understand you correctly - yes.

the client went from a dsl managed byt AT&T to time warner cable. address scheme soemthing like this for example

Example:

75.70.71.75 - 75.70.71.80 

I gave one public IP to the firewall lets say .76 and used .77 to perform some forwarding to a server in the trust zone which has an ip of 192.168.2.17/24

new public IP's are like (EXAMPLE) 96.10.113.114 - 96.19.113.126 (they gave them a lot of ip's. )

I put the firewall on 96.10.113.115 (example) and used .116 to port forward to the server mentioned above.

I also added the static routes but still nothing.

Hi,

Create a single IP DIP pool containing the IP that is used for the server access. The old provider was routing your public net to the FW's IP, the new one does not do it. The DIP will enable ARP responding for the given IP and CPE router will be able to forward packets to the FW.

pardon the ignorant question. but what is a DIP pool and where/how do i create it?

Hi,

DIP (Dynamic IP) should be configured on the Untrust interface like MIPs and VIPs are configured. If you are using Web UI you'll easy find it. You should select a number to reference the DIP and type the IP both as start IP and the end one. The rest should be left unchanged. Normally DIPs are used for policy based src-NAT. If you select "Use interface IP" for the src-NAT you also use a DIP. This is a predifined DIP number 3 that cannot be changed.

The DIPs are also used to enable the ARP responses. F.i., if the interface IP is x.x.x.1 the FW will sent ARP responces for this IP but not for x.x.x.2, .3 etc. But as soon as DIPs for these IPs are configured, the FW starts to respond with it's MAC address and the hosts in the attached segment can "see" x.x.x.2, x.x.x.3, etc. There are other ways to enable ARP responding, but the method with DIPs is simpler.

ok on the untrust interface i select edit. I select dip. there is a check box there next to incoming nat. does that need to be checked?

anyhow clicking new

ID 4 is there by default. address range.. (what addresses go there the internal ip's or the public?

does port trans need to be checked? there are also more details on the screen.. the "help" at least to me just seems to confuse it more.

Hi,

Do not check "incoming NAT" box. This is a special option for VoIP. ID 4 is OK. This is the first free number. Address range should contain the public IP, both as start and end IP.  That's it. Do not change other settings. Click "OK" and test.

i tried..  I get '###invalid DIP parameter"

Since this setup was working before the change in public ip, the association of your forwarding on the untrust interface was probably lost when the interface settings were edited.

You likely need to recreate those again. And remove any residual configuration from the old isp.

MIP

If you are forwarding a single external ip address to a single internal server address then the function to use is the mip.  You create these on the untrust interface and map the outside address to the inside one.

After this is created you need to use that mip as the destination in your policy that allows the traffic to come in to your server and include all the services that you need to allow.

VIP

If a single ip address is being shared to multiple servers the vip allows certain services only to be forwarded to different internal servers.  This allows the same external address to go to a web server for http and the mail server for smtp.  These are configured also on the  untrust interface and you specify both the service and the ip addresses.

Again you configure the policy that allows the traffic using the vip object.

Thank you spuluka for taking the time regarding my plight with this very simple solution. I am not certain why it worked before wit the method I had used prior to the new ISP but found myself with this interesting challenge.

I tried the VIP method but this was not ideal for me as it was hard for me to have several services to work for one ip. Perhaps there was a way but it just did not work for me. Another gentleman on here wanted me to try DIP adn that seemed straightforward but did nto work for me.

MIP was the winner! It was so-ooooo darn easy! I entered the reguired information into my NS 5gt and adjust the policy accordingly from the drop down to select (MIP)ip.address clicked ok and I was in business!!!

Thanks for the summary and time you put into this solution..

have a great holiday!