Unable to get portfoward working on NetScreen 5XP

I'm not familiair with netscreen products and have some problems getting portforward working on an 5XP.

I've read different manuals/guides and used google but with no luck.


So, I hope someone here can help me.


A (new) customer of mine has a 5XP firewall. Since last month he changed from ISP with new public ip, new modem, etc.

The problem is that I can't seem to get the portforwarding working. The setup is as following:


ISP --> ZyXEL DSL Modem --> NetScreen 5XP --> NIC on SBS2003


ZyXEL Modem does NAT, the internal IP is


Zyxel WAN: public IP

Zyxel LAN :

5XP Untrusted IP:

5XP Trusted IP:

NIC SBS2003:


On the Zyxel, I forwarded all ports to the 5XP IP but I can't seem to get the right settings in the 5XP to portforward these to IP (SMTP, HTTP and HTTPS)

I'm also confused about using MIP or VIP. Do I need to create VIP services or do I use the Incoming Policy (or a combination of both)?.

Internet (Trust --> Untrust) seems to work perfectly.


For testing purposes I replaced the 5XP for a router which I setup with the same IP-adreses en portforward.

This works fine, so the misconfiguration must be in the 5XP.


Does anyone have a tutorial or can tell me which steps to take?






Your best bet is to get the modem into bridge mode and put the public ip onto the untrust interface of the firewall.  You essentially have a firewall behind a firewall here.  As a result the forwarding and nat gets pretty complicated.


I prefer to get bridge only modems when we order static ip on a dsl line.  It tends to be more reliable and the modem can never be reset.  All of the major carriers I've dealt with have a model for that on request.


But if you call the carrier tech support they can walk you through or send the instructions for bridge mode on your modem.  Some don't support this and may need to be replaced.  But if this is a new setup your carrier should be willing to help get it worked out.

With VIP you can define 1 IP. Within that IP you can create ports that forward to an internal IP for example.

If you just need your Windows Machine accessable you can try the following:


1. Create a MIP on the Untrust on the 5XT for example to

2. Create a Policy from Untrust to Trust from src ANY to Destination MIP(

3. On the Zyxel, don't forward to but to the MIP


That should work as well

Thank you both for your answer, I'll try this as soon as possible.