07-13-2010 02:54 AM
I'm not familiair with netscreen products and have some problems getting portforward working on an 5XP.
I've read different manuals/guides and used google but with no luck.
So, I hope someone here can help me.
A (new) customer of mine has a 5XP firewall. Since last month he changed from ISP with new public ip, new modem, etc.
The problem is that I can't seem to get the portforwarding working. The setup is as following:
ISP --> ZyXEL DSL Modem --> NetScreen 5XP --> NIC on SBS2003
ZyXEL Modem does NAT, the internal IP is 192.168.0.1
Zyxel WAN: public IP
Zyxel LAN : 192.168.0.1
5XP Untrusted IP: 192.168.0.100
5XP Trusted IP: 192.168.18.1
NIC SBS2003: 192.168.18.2
On the Zyxel, I forwarded all ports to the 5XP IP but I can't seem to get the right settings in the 5XP to portforward these to IP 192.168.18.2. (SMTP, HTTP and HTTPS)
I'm also confused about using MIP or VIP. Do I need to create VIP services or do I use the Incoming Policy (or a combination of both)?.
Internet (Trust --> Untrust) seems to work perfectly.
For testing purposes I replaced the 5XP for a router which I setup with the same IP-adreses en portforward.
This works fine, so the misconfiguration must be in the 5XP.
Does anyone have a tutorial or can tell me which steps to take?
07-13-2010 04:09 AM
Your best bet is to get the modem into bridge mode and put the public ip onto the untrust interface of the firewall. You essentially have a firewall behind a firewall here. As a result the forwarding and nat gets pretty complicated.
I prefer to get bridge only modems when we order static ip on a dsl line. It tends to be more reliable and the modem can never be reset. All of the major carriers I've dealt with have a model for that on request.
But if you call the carrier tech support they can walk you through or send the instructions for bridge mode on your modem. Some don't support this and may need to be replaced. But if this is a new setup your carrier should be willing to help get it worked out.
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7
07-15-2010 06:07 AM
With VIP you can define 1 IP. Within that IP you can create ports that forward to an internal IP for example.
If you just need your Windows Machine accessable you can try the following:
1. Create a MIP on the Untrust on the 5XT for example 192.168.0.101 to 192.168.18.2 255.255.255.255
2. Create a Policy from Untrust to Trust from src ANY to Destination MIP(192.168.0.101)
3. On the Zyxel, don't forward to 192.168.0.100 but to the MIP 192.168.0.101
That should work as well