Screen OS

i was recently given a netscreen 204 and after using the hardware reset to restore it to stock settings it refuses to route any packets.

 

i have tried both dhcp and static ip's on the untrust connection, both route and NAT settings.

 

if i use the stock setup wizard with my laptop plugged into eth1, and eth3 plugged into my existing network i have no data connection outside of the netscreen for the laptop

 

im attaching my cfg dump

im really stumped here, to my understanding it should automatically route between eth1 and eth3 after using the setup wizard

 

You don't seem to have a policy defined that allows traffic from eth1 (Trust zone) to eth3 (Untrust zone).

it was to my understanding that it should automatically do this if restored to stock settings.

 

how would i go about doing this?

 

set policy from zone trust to zone untrust any any any nat src permit log

 

or

 

set a policy from trust to untrust in the gui.

 

 

thanks!!! this advice worked perfectly!! 

 

im now trying to get ports forwarded for a couple services im using on my server and im pretty sure the policies are right but its still not allowing the traffic, any advice on how to fix that??

 

attached an updated cfg

 

thanks again for all the help!

To forward ports, edit the eth3 interface (Untrust) and define one of more VIP addresses with all the services you need forwarded and where they need to forward to.

Then, in your Untrust-to-Trust policies, set the destination address to the VIP address (should be defined address automatically, I think) instead of the private IPs, and don't specify any NAT (VIP service definition will take care of that).

i dont think i can use MIP or VIP i dont have a static ip from my isp, or is there a workaround for this?

A VIP should work on a dynamic IP address. It does on my NetScreen 5GT.

 

I suggest making sure you're running ScreenOS 5.4