Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Netscreen25 ScreenOS4 upgrade now DMZ isn't working

Status
Not open for further replies.
Chambers

Chambers

IS-IT--Management
Jan 19, 2001
257
US
Hello guys, I upgraded the long over due ScreenOS 3.0 to ScreenOS 4.0. Has anything changed in regards to how configs work because after the upgrade my DMZ isn't working. I am using the DMZ to run our Citrix Secure Gateway so right now no one can access their citrix application from the outside. Here's how I have it set up

eth1 = trust 10.10.0.3/23
eth2 = DMZ 192.168.100.1/24
eth3 = untrust (public)

Alright, please keep in mind that everything worked fine and dandy in screenOS 3.0...now upgrading has made this stop.

I have the following policies in place;
from untrust to DMZ -> map external IP to 192.168.100.11 (our citrix secure gateway)
from untrust to DMZ -> Any to Any (just for testing)
from DMZ to untrust -> Any to Any (again just to test)


It doesn't work. I go to the Citrix server and I can access the internet just fine, I go to whatismyip.com and it tells me my external IP (that I mapped). However, I try to ping and I get no response...none at all, I try to access the IIS server on citrix and I can't externally. Anyone have any ideas? Does ScreenOS 4.0 set something up by default for protection that I need to look at? Please help!! Thank you!
 
Sort by date Sort by votes
Have you try doing debug flow basic? So you can see the packet flow. I don't know of any issue when upgrading from ScreenOS 3.0 to ScreenOS 4.0 .It might help more if you can post your config too.

debug flow basic

clear db

then try to make a connection to your citrix server

undebug all

get dbuf stream

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
Some more info;

the DMZ is on the trust-vr

However, and I think once I get this working I can get the rest: but I can't ping my DMZ address 192.168.100.1 through any of the other ports eth1 or eth3, could that be a problem?
 
Upvote 0 Downvote
On a brand new box, fresh from the factory, the Trust-VR is shared by default. The Untrust, Trust, and DMZ zones are bound to trust-VR by default.
A box with a configuration from a previous release will have the trust-vr not shared. The Untrust and DMZ zones are bound to the Untrust VR. The Trust zone is bound to the Trust-VR

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
Well the debug flow basic command from hyperterminal completely froze my netscreen25..heheh So I just restarted it. Below is my config file, perhaps you can see what the heck I'm doing wrong;

Alswo, just want to thank you again for the quick response, I pretty much fell into these responsibilities and am trying to learn it as I go.


Original Config from 3.0
--------
set auth type 0
set auth timeout 10
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password
privilege all
set admin manager-ip 152.160.24.81 255.255.255.255
set admin manager-ip 10.10.0.0 255.255.254.0
set admin sys-ip 0.0.0.0
set admin auth timeout 10
set admin auth type Local
set ip tftp retry 10
set ip tftp timeout 2
set interface trust ip 10.10.0.3 255.255.254.0
set interface untrust ip 64.108.190.120 255.255.255.240
set interface DMZ ip 192.168.100.1 255.255.255.0
set interface trust gateway 10.10.0.1
set interface untrust gateway 64.108.190.113
set interface trust manage ping
set interface trust manage scs
set interface trust manage telnet
set interface trust manage snmp
unset interface trust manage global-pro
set interface trust manage ssl
set interface trust manage web
unset interface trust ident-reset
set interface untrust manage ping
unset interface untrust manage scs
set interface untrust manage telnet
unset interface untrust manage snmp
unset interface untrust manage global-pro
set interface untrust manage ssl
set interface untrust manage web
unset interface untrust ident-reset
set interface DMZ manage ping
unset interface DMZ manage scs
unset interface DMZ manage telnet
unset interface DMZ manage snmp
unset interface DMZ manage global-pro
unset interface DMZ manage ssl
unset interface DMZ manage web
unset interface DMZ ident-reset
set interface untrust mip 64.108.190.116 host 10.10.0.11 netmask 255.255.255.255
set interface untrust mip 64.108.190.119 host 10.10.0.41 netmask 255.255.255.255
set interface untrust mip 64.108.190.124 host 192.168.100.11 netmask 255.255.255.255
set interface untrust mip 64.108.190.118 host 10.10.0.14 netmask 255.255.255.255
set interface untrust mip 64.108.190.115 host 10.10.0.9 netmask 255.255.255.255
set interface untrust mip 64.108.190.125 host 10.10.0.6 netmask 255.255.255.255
set interface untrust mip 64.108.190.126 host 10.10.0.16 netmask 255.255.255.255
set interface untrust mip 64.108.190.114 host 10.10.0.27 netmask 255.255.255.255
set interface untrust mip 64.108.190.123 host 10.10.0.42 netmask 255.255.255.255
set interface untrust mip 64.108.190.122 host 10.10.0.44 netmask 255.255.255.255
set interface DMZ dip 4 192.168.100.10 192.168.100.15
set flow no-tcp-seq-check
set flow mac-flooding
set flow check-session
unset console dbuf
set domain shoremortgage.com
set hostname Shore-GW
set address untrust "McDonald1" 209.49.254.224 255.255.255.240 "1st VPN Endpoint/NAT address"
set address untrust "McDonald1.1" 209.49.254.228 255.255.255.255 "2nd VPN NAT address"
set address untrust "McDonald2" 68.255.234.128 255.255.255.192 " 2nd VPN EndPoint/NAT address"
set address untrust "McDonald2.2" 68.255.234.128 255.255.255.255 " Secondary NAT address"
set address untrust "FW" 64.108.190.120 255.255.255.255 "for VPN "
set address untrust "HotBar" 65.121.237.200 255.255.255.255 "HotBar Spyware"
set address untrust "Appraisal1" 68.22.7.249 255.255.255.255 "First Appraisal IP"
set address untrust "Appraisal2" 68.22.7.250 255.255.255.255 "Second Appraisal IP"
set address untrust "Appraisal3" 68.22.7.251 255.255.255.255 "Third Appraisal IP"
set address untrust "Appraisal4" 68.22.7.252 255.255.255.255 "Fourth Appraisal IP"
set address untrust "Appraisal5" 68.22.7.253 255.255.255.255 "Fifth Appraisal IP"
set address untrust "Appraisal6" 68.22.7.254 255.255.255.255 "Sixth Appraisal IP"
set address untrust "Appraisal7" 68.248.33.191 255.255.255.255 "Appraisal Gateway"
set address untrust "Appraisal8" 64.68.82.169 255.255.255.255
set address trust "Shore_LAN" 10.10.0.0 255.255.254.0 "HQ LAN"
set address trust "Exchange_Server" 10.10.0.11 255.255.255.255 "Mail Server"
set address trust "GCS" 10.10.0.10 255.255.255.255
set address trust "MF1" 10.10.0.21 255.255.255.255
set address trust "MF3" 10.10.0.20 255.255.255.255
set address trust "ISA_Server" 10.10.0.14 255.255.255.255 "ISA Server Requests"
set address trust "ISA_Server_2" 10.10.0.15 255.255.255.255
set address trust "MF2" 10.10.0.22 255.255.255.255
set address trust "MF4" 10.10.0.23 255.255.255.255
set address trust "Thoms IP" 10.10.1.133 255.255.255.255 "Thoms PC"
set address trust "Coreys IP" 10.10.1.215 255.255.255.255 "Coreys PC"
set address trust "Kevins IP" 10.10.0.127 255.255.255.255 "Kevins PC"
set address trust "Thoms Laptop" 10.10.1.187 255.255.255.255 "Thoms Laptop Wired"
set address trust "MF5" 10.10.0.46 255.255.255.255
set address dmz "Secure Gateway Server" 192.168.100.11 255.255.255.255
set service "Secondary FTP" group "other" tcp src 2121-2121 dst 2121-2121
set service "Secondary FTP" + udp src 2121-2121 dst 2121-2121
set service "FTP - BulletProof" group "other" udp src 5500-5500 dst 5500-5500
set service "FTP - BulletProof" + tcp src 5500-5500 dst 5500-5500
set service "Test FTP" group "other" tcp src 5999-5999 dst 5999-5999
set service "Test FTP" + udp src 5999-5999 dst 5999-5999
set service "Custom FTP 2121" group "other" tcp src 2121-2121 dst 2121-2121
set service "Custom FTP 2121" + udp src 2121-2121 dst 2121-2121
set service "TELNET" timeout never
set service "Bridge" protocol tcp src-port 14000-14000 dst-port 14000-14000 group "other"
set service "Servicing Download" protocol tcp src-port 0-65535 dst-port 8000-8000 group "other"
set service "VNC - Web" protocol tcp src-port 0-65535 dst-port 5800-5810 group "other"
set service "VNC" protocol tcp src-port 0-65535 dst-port 5900-5910 group "other"
set service "CoreyCam" protocol tcp src-port 0-65535 dst-port 8088-8088 group "other"
set service "Test" protocol tcp src-port 5190-5190 dst-port 5190-5190 group "other"
set service "RDP" protocol tcp src-port 3389-3389 dst-port 3389-3389 group "other"
set service "SSL Port-444" protocol tcp src-port 0-65000 dst-port 444-444 group "other"
set service "HTTP - 8088" protocol tcp src-port 8088-8088 dst-port 8088-8088 group "other"
set service "HTTP - 81" protocol tcp src-port 81-81 dst-port 81-81 group "other"
set service "Irene_5/3_Bank" protocol tcp src-port 0-65535 dst-port 1996-1996 group "other"
set service "IM Test" protocol tcp src-port 0-65535 dst-port 5190-5190 group "other"
set syn-threshold 200
set firewall tear-drop
set firewall syn-flood
set firewall ip-spoofing
set firewall ping-of-death
set firewall src-route
set firewall land
unset firewall icmp-flood
set firewall udp-flood
set firewall winnuke
set firewall port-scan
set firewall ip-sweep
unset firewall applet
unset firewall bypass-others-ipsec
unset firewall bypass-non-ip
set firewall log-self
unset firewall session-threshold source-ip-based
set snmp name "Shore-GW"
set group address untrust "Appraisal IP Group" comment "Appraisal IP Group"
set group address untrust "Appraisal IP Group" add "Appraisal1"
set group address untrust "Appraisal IP Group" add "Appraisal2"
set group address untrust "Appraisal IP Group" add "Appraisal3"
set group address untrust "Appraisal IP Group" add "Appraisal4"
set group address untrust "Appraisal IP Group" add "Appraisal5"
set group address untrust "Appraisal IP Group" add "Appraisal6"
set group address untrust "Appraisal IP Group" add "Appraisal7"
set group address untrust "Appraisal IP Group" add "Appraisal8"
set group address trust "Metaframe" comment " "
set group address trust "Metaframe" add "MF1"
set group address trust "Metaframe" add "MF3"
set group address trust "Metaframe" add "GCS"
set group address trust "Metaframe" add "MF2"
set group address trust "Metaframe" add "MF4"
set group address trust "Metaframe" add "MF5"
set group address trust "ISA_Server_NICS" comment " "
set group address trust "ISA_Server_NICS" add "ISA_Server"
set group address trust "ISA_Server_NICS" add "ISA_Server_2"
set group address trust "IT Department" comment " "
set group address trust "IT Department" add "Thoms IP"
set group address trust "IT Department" add "Coreys IP"
set group address trust "IT Department" add "Kevins IP"
set group address trust "IT Department" add "Thoms Laptop"
set group service "Intranet_WEB" comment " "
set group service "Intranet_WEB" add "HTTP"
set group service "Intranet_WEB" add "HTTPS"
set group service "Intranet_WEB" add "PING"
set group service "Intranet_WEB" add "Bridge"
set group service "Intranet_WEB" add "Servicing Download"
set group service "Intranet_WEB" add "CoreyCam"
set group service "Intranet_WEB" add "MAIL"
set group service "Inbound_Mail" comment " "
set group service "Inbound_Mail" add "HTTP"
set group service "Inbound_Mail" add "MAIL"
set group service "Inbound_Mail" add "PING"
set group service "Inbound_Mail" add "POP3"
set group service "VPN to McD" comment " "
set group service "VPN to McD" add "TELNET"
set group service "VPN to McD" add "PING"
set group service "VPN to McD" add "MAIL"
set group service "VPN to McD" add "Servicing Download"
set group service "PCAny" comment " "
set group service "PCAny" add "PING"
set group service "PCAny" add "PC-Anywhere"
set group service "PCAny" add "RDP"
set group service "CSG Service" comment " "
set group service "CSG Service" add "HTTPS"
set group service "CSG Service" add "PING"
set group service "CSG Service" add "DNS"
set group service "CSG Service" add "HTTP"
set group service "CSG Service" add "WINFRAME"
set group service "WEB2" comment "Webserver 2"
set group service "WEB2" add "HTTP"
set group service "WEB2" add "HTTPS"
set group service "WEB2" add "SSL Port-444"
set group service "WEB2" add "HTTP - 8088"
set group service "WEB2" add "HTTP - 81"
set group service "WEB2" add "FTP"
set group service "WEB2" add "FTP-Get"
set group service "WEB2" add "FTP-Put"
set group service "Appraisers" comment " "
set group service "Appraisers" add "POP3"
set group service "Appraisers" add "HTTP"
set group service "Appraisers" add "MAIL"
set group service "Appraisers" add "HTTPS"
set group service "Appraisers" add "DNS"
set group service "Internet" comment "All Internet Traffic"
set group service "Internet" add "AOL"
set group service "Internet" add "BGP"
set group service "Internet" add "DHCP-Relay"
set group service "Internet" add "DNS"
set group service "Internet" add "FINGER"
set group service "Internet" add "FTP"
set group service "Internet" add "FTP-Get"
set group service "Internet" add "FTP-Put"
set group service "Internet" add "GOPHER"
set group service "Internet" add "H.323"
set group service "Internet" add "HTTP"
set group service "Internet" add "HTTPS"
set group service "Internet" add "IRC"
set group service "Internet" add "NetMeeting"
set group service "Internet" add "PING"
set group service "Internet" add "Real Media"
set group service "Internet" add "FTP - BulletProof"
set group service "Internet" add "Secondary FTP"
set group service "Internet" add "Irene_5/3_Bank"
set group service "Everything But Internet 1" comment " "
set group service "Everything But Internet 1" add "BGP"
set group service "Everything But Internet 1" add "DHCP-Relay"
set group service "Everything But Internet 1" add "DNS"
set group service "Everything But Internet 1" add "FINGER"
set group service "Everything But Internet 1" add "GOPHER"
set group service "Everything But Internet 1" add "ICMP-INFO"
set group service "Everything But Internet 1" add "ICMP-TIMESTAMP"
set group service "Everything But Internet 1" add "IKE"
set group service "Everything But Internet 1" add "IMAP"
set group service "Everything But Internet 1" add "Internet Locator Service"
set group service "Everything But Internet 1" add "L2TP"
set group service "Everything But Internet 1" add "MAIL"
set group service "Everything But Internet 1" add "NetMeeting"
set group service "Everything But Internet 1" add "LDAP"
set group service "Everything But Internet 1" add "NFS"
set group service "Everything But Internet 1" add "NNTP"
set group service "Everything But Internet 1" add "NS Global"
set group service "Everything But Internet 1" add "NS Global PRO"
set group service "Everything But Internet 1" add "NTP"
set group service "Everything But Internet 1" add "OSPF"
set group service "Everything But Internet 1" add "PC-Anywhere"
set group service "Everything But Internet 1" add "PING"
set group service "Everything But Internet 1" add "POP3"
set group service "Everything But Internet 1" add "PPTP"
set group service "Everything But Internet 1" add "RIP"
set group service "Everything But Internet 1" add "RLOGIN"
set group service "Everything But Internet 1" add "SNMP"
set group service "Everything But Internet 1" add "SSH"
set group service "Everything But Internet 1" add "SYSLOG"
set group service "Everything But Internet 1" add "AOL"
set group service "Everything But Internet 1" add "Custom FTP 2121"
set group service "Everything But Internet 2" comment " "
set group service "Everything But Internet 2" add "TALK"
set group service "Everything But Internet 2" add "TCP-ANY"
set group service "Everything But Internet 2" add "TELNET"
set group service "Everything But Internet 2" add "TFTP"
set group service "Everything But Internet 2" add "TRACEROUTE"
set group service "Everything But Internet 2" add "UDP-ANY"
set group service "Everything But Internet 2" add "UUCP"
set group service "Everything But Internet 2" add "VDO Live"
set group service "Everything But Internet 2" add "WAIS"
set group service "Everything But Internet 2" add "WINFRAME"
set group service "Everything But Internet 2" add "X-WINDOWS"
set group service "Everything But Internet 2" add "Bridge"
set group service "Everything But Internet 2" add "Servicing Download"
set group service "Everything But Internet 2" add "VNC - Web"
set group service "Everything But Internet 2" add "VNC"
set group service "Everything But Internet 2" add "CoreyCam"
set group service "Everything But Internet 2" add "Secondary FTP"
set group service "Everything But Internet 2" add "FTP - BulletProof"
set group service "Everything But Internet 2" add "Custom FTP 2121"
set group service "Inbound_Mail_CT" comment " "
set group service "Inbound_Mail_CT" add "HTTP"
set group service "Inbound_Mail_CT" add "HTTPS"
set group service "Inbound_Mail_CT" add "PING"
set group service "Inbound_Mail_CT" add "MAIL"
set group service "Inbound_Mail_CT" add "POP3"
set group service "WEB3" comment "Webserver 3 - Misc Web Services"
set group service "WEB3" add "HTTP"
set group service "WEB3" add "HTTPS"
set group service "WEB3" add "PING"
set group service "WEB3" add "FTP"
set group service "WEB3" add "FTP-Get"
set group service "WEB3" add "FTP-Put"
set firewall ip-sweep threshold 30000
set traffic-shaping ip_precedence 7 6 5 4 3 2 1 0
set ike p1-proposal "McDonald2" Preshare Group2 esp 3DES SHA second 3600
set ike p1-proposal "McDonald1" Preshare Group2 esp 3DES SHA second 3600
set ike p2-proposal "Mcdonald2" no-pfs ESP 3DES SHA second 700
set ike p2-proposal "McDonald1" no-pfs ESP 3DES SHA second 700
set ike gateway "McDonald2" ip 68.255.234.130 Main preshare "w731QmAB" proposal "McDonald2"
set ike gateway "McDonald1" ip 209.49.254.226 Main preshare "w731QmAB" proposal "McDonald1"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "McDonald2.1" id 20499 gateway "McDonald2" no-replay tunnel idletime 0 proposal "Mcdonald2"
set vpn "McDonald2.1" monitor
set vpn "McDonald1" id 20500 gateway "McDonald1" no-replay tunnel idletime 0 proposal "McDonald1"
set vpn "McDonald1" monitor
set ike id-mode subnet
set vpn-group id 2 vpn McDonald2.1 weight 9
set vpn-group id 2
set vpn-group id 1 vpn McDonald1 weight 10
set vpn-group id 1
set l2tp default auth local
set l2tp default dns1 10.10.0.10
set l2tp default dns2 10.10.0.10
set l2tp default ppp-auth chap
set l2tp default radius-port 1645
set route 10.10.10.62 255.255.255.255 interface trust gateway 10.10.0.1 metric 1
set policy id 18 name "McDonald1" outgoing "Inside Any" "McDonald1" "VPN to McD" nat Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 16 name "McD_VPN2" outgoing "Inside Any" "McDonald2" "VPN to McD" nat Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 0 name "Out" outgoing "Shore_LAN" "Outside Any" "ANY" nat Permit log
set policy id 0 disable
set policy id 49 name "IT Department Outbound" outgoing "IT Department" "Outside Any" "ANY" nat Permit log
set policy id 19 name "McDonald1" incoming "McDonald1" "Inside Any" "VPN to McD" Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 17 name "McD_VPN2" incoming "McDonald2" "Inside Any" "VPN to McD" Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 21 name "Appraisal IP Pop" incoming "Appraisal IP Group" "MIP(64.108.190.116)" "Appraisers" nat Permit log
set policy id 35 name "Web Mail" incoming "Outside Any" "MIP(64.108.190.116)" "Internet" nat Permit log
set policy id 6 name "Mail" incoming "Outside Any" "MIP(64.108.190.116)" "Inbound_Mail" Permit log
set policy id 27 name "HTTP Requests" outgoing "ISA_Server_NICS" "Outside Any" "Internet" nat Permit log
set policy id 33 outgoing "Shore_LAN" "Outside Any" "Internet" Permit log
set policy id 33 disable
set policy id 28 name "ShareLAN_1" outgoing "Shore_LAN" "Outside Any" "Everything But Internet 1" nat Permit log
set policy id 29 name "ShoreLAN_2" outgoing "Shore_LAN" "Outside Any" "Everything But Internet 2" nat Permit log
set policy id 31 name "Citrix Test" incoming "Outside Any" "MIP(64.108.190.118)" "Internet" nat Permit log
set policy id 38 todmz "Metaframe" "Secure Gateway Server" "CSG Service" nat Permit log
set policy id 39 name "CSG From DMZ" fromdmz "Secure Gateway Server" "Metaframe" "CSG Service" nat Permit log
set policy id 55 incoming "Outside Any" "MIP(64.108.190.124)" "CSG Service" nat Permit log
set policy id 26 name "WEB 2" incoming "Outside Any" "MIP(64.108.190.125)" "WEB2" nat Permit log count
set policy id 44 name "WEB3" incoming "Outside Any" "MIP(64.108.190.126)" "WEB3" nat Permit log count
set policy id 46 name "UWM" incoming "Outside Any" "MIP(64.108.190.115)" "Internet" nat Permit log count
set policy id 47 name "Shore Website" incoming "Outside Any" "MIP(64.108.190.119)" "Intranet_WEB" nat Permit log count
set policy id 48 name "web.shoremortgage.com" incoming "Outside Any" "MIP(64.108.190.114)" "Internet" nat Permit log count
set policy id 37 name "Shore Tax" incoming "Outside Any" "MIP(64.108.190.123)" "WEB2" nat Permit log count
set policy id 42 name "esource.shoremortgage.com" incoming "Outside Any" "MIP(64.108.190.122)" "Internet" nat Permit log count
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.10.0.10
set dns host schedule 12:00

Updated Log file From ScreenOS 4.0 (trying to clean it up)
--------------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin password nBZmNgr/JQsCcPNMssxFJ4HtC/F0Tn
set admin user "APS" password "nO+EEXrDNUMBckXOAsOL7PJtvCMZIn" privilege "all"
set admin manager-ip 152.160.24.81 255.255.255.255
set admin manager-ip 10.10.0.0 255.255.254.0
set admin auth timeout 10
set admin auth server "Local"
set service "Secondary FTP" group "other" tcp src 2121-2121 dst 2121-2121
set service "Secondary FTP" + udp src 2121-2121 dst 2121-2121
set service "FTP - BulletProof" group "other" udp src 5500-5500 dst 5500-5500
set service "FTP - BulletProof" + tcp src 5500-5500 dst 5500-5500
set service "Custom FTP 2121" group "other" tcp src 2121-2121 dst 2121-2121
set service "Custom FTP 2121" + udp src 2121-2121 dst 2121-2121
set service "TELNET" timeout never
set service "Bridge" protocol tcp src-port 14000-14000 dst-port 14000-14000 group "other"
set service "Servicing Download" protocol tcp src-port 0-65535 dst-port 8000-8000 group "other"
set service "SSL Port-444" protocol tcp src-port 0-65000 dst-port 444-444 group "other"
set service "HTTP - 8088" protocol tcp src-port 8088-8088 dst-port 8088-8088 group "other"
set service "HTTP - 81" protocol tcp src-port 81-81 dst-port 81-81 group "other"
set service "Irene_5/3_Bank" protocol tcp src-port 0-65535 dst-port 1996-1996 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen udp-flood
set zone Untrust screen winnuke
set zone Untrust screen port-scan
set zone Untrust screen ip-sweep
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ip-spoofing
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen udp-flood
set zone V1-Untrust screen winnuke
set zone V1-Untrust screen port-scan
set zone V1-Untrust screen ip-sweep
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ip-spoofing
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set zone Untrust screen ip-sweep threshold 30000
set zone V1-Untrust screen ip-sweep threshold 30000
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.0.3/23
set interface ethernet1 nat
set interface ethernet2 ip 192.168.100.1/24
set interface ethernet2 route
set interface ethernet3 ip 64.108.190.120/28
set interface ethernet3 route
set interface ethernet3 gateway 64.108.190.113
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage global-pro
set interface ethernet2 manage ssl
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface "ethernet3" mip 64.108.190.116 host 10.10.0.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.119 host 10.10.0.41 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.118 host 10.10.0.14 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.115 host 10.10.0.9 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.125 host 10.10.0.6 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.126 host 10.10.0.16 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.114 host 10.10.0.27 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.123 host 10.10.0.42 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.122 host 10.10.0.44 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.124 host 192.168.100.11 netmask 255.255.255.255 vr "trust-vr"
set interface ethernet2 dip 4 192.168.100.9 192.168.100.15
unset console dbuf
set domain shoremortgage.com
set hostname Shore-GW
set address "Trust" "Exchange_Server" 10.10.0.11 255.255.255.255 "Mail Server"
set address "Trust" "ISA_Server" 10.10.0.14 255.255.255.255 "ISA Server Requests"
set address "Trust" "ISA_Server_2" 10.10.0.15 255.255.255.255
set address "Trust" "MF1" 10.10.0.21 255.255.255.255
set address "Trust" "MF2" 10.10.0.22 255.255.255.255
set address "Trust" "MF3" 10.10.0.20 255.255.255.255
set address "Trust" "MF4" 10.10.0.23 255.255.255.255
set address "Trust" "MF5" 10.10.0.46 255.255.255.255
set address "Trust" "Shore_LAN" 10.10.0.0 255.255.254.0 "HQ LAN"
set address "Untrust" "Appraisal1" 68.22.7.249 255.255.255.255 "First Appraisal IP"
set address "Untrust" "Appraisal2" 68.22.7.250 255.255.255.255 "Second Appraisal IP"
set address "Untrust" "Appraisal3" 68.22.7.251 255.255.255.255 "Third Appraisal IP"
set address "Untrust" "Appraisal4" 68.22.7.252 255.255.255.255 "Fourth Appraisal IP"
set address "Untrust" "Appraisal5" 68.22.7.253 255.255.255.255 "Fifth Appraisal IP"
set address "Untrust" "Appraisal6" 68.22.7.254 255.255.255.255 "Sixth Appraisal IP"
set address "Untrust" "Appraisal7" 68.248.33.191 255.255.255.255 "Appraisal Gateway"
set address "Untrust" "Appraisal8" 64.68.82.169 255.255.255.255
set address "Untrust" "HotBar" 65.121.237.200 255.255.255.255 "HotBar Spyware"
set address "Untrust" "McDonald1" 209.49.254.224 255.255.255.240 "1st VPN Endpoint/NAT address"
set address "Untrust" "McDonald2" 68.255.234.128 255.255.255.192 " 2nd VPN EndPoint/NAT address"
set firewall log-self
set snmp name "Shore-GW"
set group address "Trust" "ISA_Server_NICS" comment " "
set group address "Trust" "ISA_Server_NICS" add "ISA_Server"
set group address "Trust" "ISA_Server_NICS" add "ISA_Server_2"
set group address "Trust" "IT Department" comment " "
set group address "Untrust" "Appraisal IP Group" comment "Appraisal IP Group"
set group address "Untrust" "Appraisal IP Group" add "Appraisal1"
set group address "Untrust" "Appraisal IP Group" add "Appraisal2"
set group address "Untrust" "Appraisal IP Group" add "Appraisal3"
set group address "Untrust" "Appraisal IP Group" add "Appraisal4"
set group address "Untrust" "Appraisal IP Group" add "Appraisal5"
set group address "Untrust" "Appraisal IP Group" add "Appraisal6"
set group address "Untrust" "Appraisal IP Group" add "Appraisal7"
set group address "Untrust" "Appraisal IP Group" add "Appraisal8"
set group service "Intranet_WEB" comment " "
set group service "Intranet_WEB" add "HTTP"
set group service "Intranet_WEB" add "HTTPS"
set group service "Intranet_WEB" add "PING"
set group service "Intranet_WEB" add "Bridge"
set group service "Intranet_WEB" add "Servicing Download"
set group service "Intranet_WEB" add "MAIL"
set group service "Inbound_Mail" comment " "
set group service "Inbound_Mail" add "HTTP"
set group service "Inbound_Mail" add "MAIL"
set group service "Inbound_Mail" add "PING"
set group service "Inbound_Mail" add "POP3"
set group service "VPN to McD" comment " "
set group service "VPN to McD" add "TELNET"
set group service "VPN to McD" add "PING"
set group service "VPN to McD" add "MAIL"
set group service "VPN to McD" add "Servicing Download"
set group service "PCAny" comment " "
set group service "PCAny" add "PING"
set group service "PCAny" add "PC-Anywhere"
set group service "WEB2" comment "Webserver 2"
set group service "WEB2" add "HTTP"
set group service "WEB2" add "HTTPS"
set group service "WEB2" add "SSL Port-444"
set group service "WEB2" add "HTTP - 8088"
set group service "WEB2" add "HTTP - 81"
set group service "WEB2" add "FTP"
set group service "WEB2" add "FTP-Get"
set group service "WEB2" add "FTP-Put"
set group service "Appraisers" comment " "
set group service "Appraisers" add "POP3"
set group service "Appraisers" add "HTTP"
set group service "Appraisers" add "MAIL"
set group service "Appraisers" add "HTTPS"
set group service "Appraisers" add "DNS"
set group service "Internet" comment "All Internet Traffic"
set group service "Internet" add "AOL"
set group service "Internet" add "BGP"
set group service "Internet" add "DHCP-Relay"
set group service "Internet" add "DNS"
set group service "Internet" add "FINGER"
set group service "Internet" add "FTP"
set group service "Internet" add "FTP-Get"
set group service "Internet" add "FTP-Put"
set group service "Internet" add "GOPHER"
set group service "Internet" add "H.323"
set group service "Internet" add "HTTP"
set group service "Internet" add "HTTPS"
set group service "Internet" add "IRC"
set group service "Internet" add "NetMeeting"
set group service "Internet" add "PING"
set group service "Internet" add "Real Media"
set group service "Internet" add "FTP - BulletProof"
set group service "Internet" add "Secondary FTP"
set group service "Internet" add "Irene_5/3_Bank"
set group service "Everything But Internet 1" comment " "
set group service "Everything But Internet 1" add "BGP"
set group service "Everything But Internet 1" add "DHCP-Relay"
set group service "Everything But Internet 1" add "DNS"
set group service "Everything But Internet 1" add "FINGER"
set group service "Everything But Internet 1" add "GOPHER"
set group service "Everything But Internet 1" add "ICMP-INFO"
set group service "Everything But Internet 1" add "ICMP-TIMESTAMP"
set group service "Everything But Internet 1" add "IKE"
set group service "Everything But Internet 1" add "IMAP"
set group service "Everything But Internet 1" add "Internet Locator Service"
set group service "Everything But Internet 1" add "L2TP"
set group service "Everything But Internet 1" add "MAIL"
set group service "Everything But Internet 1" add "NetMeeting"
set group service "Everything But Internet 1" add "LDAP"
set group service "Everything But Internet 1" add "NFS"
set group service "Everything But Internet 1" add "NNTP"
set group service "Everything But Internet 1" add "NS Global"
set group service "Everything But Internet 1" add "NS Global PRO"
set group service "Everything But Internet 1" add "NTP"
set group service "Everything But Internet 1" add "OSPF"
set group service "Everything But Internet 1" add "PC-Anywhere"
set group service "Everything But Internet 1" add "PING"
set group service "Everything But Internet 1" add "POP3"
set group service "Everything But Internet 1" add "PPTP"
set group service "Everything But Internet 1" add "RIP"
set group service "Everything But Internet 1" add "RLOGIN"
set group service "Everything But Internet 1" add "SNMP"
set group service "Everything But Internet 1" add "SSH"
set group service "Everything But Internet 1" add "SYSLOG"
set group service "Everything But Internet 1" add "AOL"
set group service "Everything But Internet 1" add "Custom FTP 2121"
set group service "Everything But Internet 2" comment " "
set group service "Everything But Internet 2" add "TALK"
set group service "Everything But Internet 2" add "TCP-ANY"
set group service "Everything But Internet 2" add "TELNET"
set group service "Everything But Internet 2" add "TFTP"
set group service "Everything But Internet 2" add "TRACEROUTE"
set group service "Everything But Internet 2" add "UDP-ANY"
set group service "Everything But Internet 2" add "UUCP"
set group service "Everything But Internet 2" add "VDO Live"
set group service "Everything But Internet 2" add "WAIS"
set group service "Everything But Internet 2" add "WINFRAME"
set group service "Everything But Internet 2" add "X-WINDOWS"
set group service "Everything But Internet 2" add "Bridge"
set group service "Everything But Internet 2" add "Servicing Download"
set group service "Everything But Internet 2" add "Secondary FTP"
set group service "Everything But Internet 2" add "FTP - BulletProof"
set group service "Everything But Internet 2" add "Custom FTP 2121"
set group service "Inbound_Mail_CT" comment " "
set group service "Inbound_Mail_CT" add "HTTP"
set group service "Inbound_Mail_CT" add "HTTPS"
set group service "Inbound_Mail_CT" add "PING"
set group service "Inbound_Mail_CT" add "MAIL"
set group service "Inbound_Mail_CT" add "POP3"
set group service "WEB3" comment "Webserver 3 - Misc Web Services"
set group service "WEB3" add "HTTP"
set group service "WEB3" add "HTTPS"
set group service "WEB3" add "PING"
set group service "WEB3" add "FTP"
set group service "WEB3" add "FTP-Get"
set group service "WEB3" add "FTP-Put"
set group service "CSG Server" comment "Metaframe Secure Server"
set group service "CSG Server" add "HTTP"
set group service "CSG Server" add "HTTPS"
set group service "CSG Server" add "PING"
set group service "CSG Server" add "WINFRAME"
set group service "CSG Server" add "DNS"
set ike p1-proposal "McDonald2" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p1-proposal "McDonald1" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p2-proposal "Mcdonald2" no-pfs ESP 3DES SHA-1 second 700
set ike p2-proposal "McDonald1" no-pfs ESP 3DES SHA-1 second 700
set ike gateway "McDonald2" ip 68.255.234.130 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald2"
set ike gateway "McDonald1" ip 209.49.254.226 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald1"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "McDonald2.1" id 20499 gateway "McDonald2" no-replay tunnel idletime 0 proposal "Mcdonald2"
set vpn "McDonald2.1" monitor
set vpn "McDonald1" id 20500 gateway "McDonald1" no-replay tunnel idletime 0 proposal "McDonald1"
set vpn "McDonald1" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set vpn-group id 2 vpn "McDonald2.1" weight 9
set vpn-group id 1 vpn "McDonald1" weight 10
set l2tp default dns1 10.10.0.10
set l2tp default dns2 10.10.0.10
set l2tp default ppp-auth chap
set policy id 18 name "McDonald1" from "Trust" to "Untrust" "Any" "McDonald1" "VPN to McD" nat dip-id 2 Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 16 name "McD_VPN2" from "Trust" to "Untrust" "Any" "McDonald2" "VPN to McD" nat dip-id 2 Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 49 name "IT Department Outbound" from "Trust" to "Untrust" "IT Department" "Any" "ANY" nat dip-id 2 Permit log
set policy id 19 name "McDonald1" from "Untrust" to "Trust" "McDonald1" "Any" "VPN to McD" Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 17 name "McD_VPN2" from "Untrust" to "Trust" "McDonald2" "Any" "VPN to McD" Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 21 name "Appraisal IP Pop" from "Untrust" to "Trust" "Appraisal IP Group" "MIP(64.108.190.116)" "Appraisers" nat dip-id 2 Permit log
set policy id 21 disable
set policy id 50 name "DMZ Incoming" from "Untrust" to "Trust" "Any" "MIP(64.108.190.124)" "CSG Server" nat dip-id 2 Permit log
set policy id 35 name "Web Mail" from "Untrust" to "Trust" "Any" "MIP(64.108.190.116)" "Internet" nat dip-id 2 Permit log
set policy id 6 name "Mail" from "Untrust" to "Trust" "Any" "MIP(64.108.190.116)" "Inbound_Mail" Permit log
set policy id 27 name "HTTP Requests" from "Trust" to "Untrust" "ISA_Server_NICS" "Any" "Internet" nat dip-id 2 Permit log
set policy id 33 from "Trust" to "Untrust" "Shore_LAN" "Any" "Internet" Permit log
set policy id 33 disable
set policy id 28 name "ShareLAN_1" from "Trust" to "Untrust" "Shore_LAN" "Any" "Everything But Internet 1" nat dip-id 2 Permit log
set policy id 29 name "ShoreLAN_2" from "Trust" to "Untrust" "Shore_LAN" "Any" "Everything But Internet 2" nat dip-id 2 Permit log
set policy id 31 name "Citrix Test" from "Untrust" to "Trust" "Any" "MIP(64.108.190.118)" "Internet" nat dip-id 2 Permit log
set policy id 26 name "WEB 2" from "Untrust" to "Trust" "Any" "MIP(64.108.190.125)" "WEB2" nat dip-id 2 Permit log count
set policy id 44 name "WEB3" from "Untrust" to "Trust" "Any" "MIP(64.108.190.126)" "WEB3" nat dip-id 2 Permit log count
set policy id 46 name "UWM" from "Untrust" to "Trust" "Any" "MIP(64.108.190.115)" "Internet" nat dip-id 2 Permit log count
set policy id 47 name "Shore Website" from "Untrust" to "Trust" "Any" "MIP(64.108.190.119)" "Intranet_WEB" nat dip-id 2 Permit log count
set policy id 48 name "web.shoremortgage.com" from "Untrust" to "Trust" "Any" "MIP(64.108.190.114)" "Internet" nat dip-id 2 Permit log count
set policy id 37 name "Shore Tax" from "Untrust" to "Trust" "Any" "MIP(64.108.190.123)" "WEB2" nat dip-id 2 Permit log count
set policy id 42 name "esource.shoremortgage.com" from "Untrust" to "Trust" "Any" "MIP(64.108.190.122)" "Internet" nat dip-id 2 Permit log count
set global-pro policy-manager primary outgoing-interface ethernet3
set global-pro policy-manager secondary outgoing-interface ethernet3
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.10.0.10
set dns host dns2 10.10.0.8
set dns host schedule 12:00
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.10.10.62/32 interface ethernet1 gateway 10.10.0.1
exit


 
Upvote 0 Downvote
Well it looks like pings are getting through, but not getting out;

Traffic log for policy : ID Source Destination Service Action
50 Untrust/Any Global/MIP(64.108.190.124) CSG Server Permit


Date/Time Source Address/Port Translated Address/Port Destination Address/Port Duration Service
2005-03-29 09:33:22 69.2.200.182:768 192.168.100.1:6790 192.168.100.11:3072 60 sec. ICMP
2005-03-29 09:33:20 69.2.200.182:512 192.168.100.1:6785 192.168.100.11:3072 59 sec. ICMP
2005-03-29 09:33:20 69.2.200.182:256 192.168.100.1:6781 192.168.100.11:3072 60 sec. ICMP
2005-03-29 09:33:18 69.2.200.182:0 192.168.100.1:6779 192.168.100.11:3072 59 sec. ICMP
 
Upvote 0 Downvote
Ok, been working on it some more and I got the CSG (in the DMZ) talking to my internal Metaframe servers. I tested this by going onto the CSG and seeing if I could pull up an app through the Web interface. Sure enough I got it connected, so I know the DMZ is talking correctly with the Tursted network. However, I still can't hit the Web interface through the untrusted side (which is what I need now)

Any ideas? We're close, I can feel it!! :)
 
Upvote 0 Downvote
Give me a minute to finish checking out your config.

Also do a

Get dbuf info - displays the dbuf size in bytes. default 32k
you should't need to increase the buffer size. When you run that command debug flow basic you only need to try to connect once to your CGS. Can you give it one more try.

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
Shore-GW-> Get dbuf info
count: 0, last index: 0, cur index: 0, size: 131072
start: 0, pause: 0

less than normal it looks like.
 
Upvote 0 Downvote
Here's an updated config file, I can ping it internally now, however I still can't ping from outside.


-------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" -5
set admin format dos
set admin name "netscreen"
set admin manager-ip 10.10.0.0 255.255.254.0
set admin auth timeout 10
set admin auth server "Local"
set service "Secondary FTP" group "other" tcp src 2121-2121 dst 2121-2121
set service "Secondary FTP" + udp src 2121-2121 dst 2121-2121
set service "FTP - BulletProof" group "other" udp src 5500-5500 dst 5500-5500
set service "FTP - BulletProof" + tcp src 5500-5500 dst 5500-5500
set service "Custom FTP 2121" group "other" tcp src 2121-2121 dst 2121-2121
set service "Custom FTP 2121" + udp src 2121-2121 dst 2121-2121
set service "TELNET" timeout never
set service "Bridge" protocol tcp src-port 14000-14000 dst-port 14000-14000 group "other"
set service "Servicing Download" protocol tcp src-port 0-65535 dst-port 8000-8000 group "other"
set service "SSL Port-444" protocol tcp src-port 0-65000 dst-port 444-444 group "other"
set service "HTTP - 8088" protocol tcp src-port 8088-8088 dst-port 8088-8088 group "other"
set service "HTTP - 81" protocol tcp src-port 81-81 dst-port 81-81 group "other"
set service "Irene_5/3_Bank" protocol tcp src-port 0-65535 dst-port 1996-1996 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen udp-flood
set zone Untrust screen winnuke
set zone Untrust screen port-scan
set zone Untrust screen ip-sweep
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ip-spoofing
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen udp-flood
set zone V1-Untrust screen winnuke
set zone V1-Untrust screen port-scan
set zone V1-Untrust screen ip-sweep
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ip-spoofing
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set zone Untrust screen ip-sweep threshold 30000
set zone V1-Untrust screen ip-sweep threshold 30000
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.0.3/23
set interface ethernet1 nat
set interface ethernet2 ip 192.168.100.1/24
set interface ethernet2 route
set interface ethernet3 ip 64.108.190.120/28
set interface ethernet3 route
set interface ethernet3 gateway 64.108.190.113
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage global-pro
set interface ethernet2 manage ssl
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface "ethernet3" mip 64.108.190.116 host 10.10.0.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.119 host 10.10.0.41 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.118 host 10.10.0.14 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.115 host 10.10.0.9 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.125 host 10.10.0.6 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.126 host 10.10.0.16 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.114 host 10.10.0.27 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.123 host 10.10.0.42 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.122 host 10.10.0.44 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.108.190.124 host 192.168.100.11 netmask 255.255.255.255 vr "trust-vr"
set interface ethernet2 dip 4 192.168.100.9 192.168.100.15
unset console dbuf
set domain shoremortgage.com
set hostname Shore-GW
set address "Trust" "Exchange_Server" 10.10.0.11 255.255.255.255 "Mail Server"
set address "Trust" "ISA_Server" 10.10.0.14 255.255.255.255 "ISA Server Requests"
set address "Trust" "ISA_Server_2" 10.10.0.15 255.255.255.255
set address "Trust" "MF1" 10.10.0.21 255.255.255.255
set address "Trust" "MF2" 10.10.0.22 255.255.255.255
set address "Trust" "MF3" 10.10.0.20 255.255.255.255
set address "Trust" "MF4" 10.10.0.23 255.255.255.255
set address "Trust" "MF5" 10.10.0.46 255.255.255.255
set address "Trust" "Shore1 STA for GCS" 10.10.0.10 255.255.255.255
set address "Trust" "Shore_LAN" 10.10.0.0 255.255.254.0 "HQ LAN"
set address "Untrust" "Appraisal1" 68.22.7.249 255.255.255.255 "First Appraisal IP"
set address "Untrust" "Appraisal2" 68.22.7.250 255.255.255.255 "Second Appraisal IP"
set address "Untrust" "Appraisal3" 68.22.7.251 255.255.255.255 "Third Appraisal IP"
set address "Untrust" "Appraisal4" 68.22.7.252 255.255.255.255 "Fourth Appraisal IP"
set address "Untrust" "Appraisal5" 68.22.7.253 255.255.255.255 "Fifth Appraisal IP"
set address "Untrust" "Appraisal6" 68.22.7.254 255.255.255.255 "Sixth Appraisal IP"
set address "Untrust" "Appraisal7" 68.248.33.191 255.255.255.255 "Appraisal Gateway"
set address "Untrust" "Appraisal8" 64.68.82.169 255.255.255.255
set address "Untrust" "HotBar" 65.121.237.200 255.255.255.255 "HotBar Spyware"
set address "Untrust" "McDonald1" 209.49.254.224 255.255.255.240 "1st VPN Endpoint/NAT address"
set address "Untrust" "McDonald2" 68.255.234.128 255.255.255.192 " 2nd VPN EndPoint/NAT address"
set address "DMZ" "Secure Gateway Server" 192.168.100.11 255.255.255.255 "Secure Gateway Server"
set firewall log-self
set snmp name "Shore-GW"
set group address "Trust" "ISA_Server_NICS" comment " "
set group address "Trust" "ISA_Server_NICS" add "ISA_Server"
set group address "Trust" "ISA_Server_NICS" add "ISA_Server_2"
set group address "Trust" "IT Department" comment " "
set group address "Trust" "Metaframe Servers" comment "Metaframe Server Group"
set group address "Trust" "Metaframe Servers" add "MF1"
set group address "Trust" "Metaframe Servers" add "MF2"
set group address "Trust" "Metaframe Servers" add "MF3"
set group address "Trust" "Metaframe Servers" add "MF4"
set group address "Trust" "Metaframe Servers" add "MF5"
set group address "Trust" "Metaframe Servers" add "Shore1 STA for GCS"
set group address "Untrust" "Appraisal IP Group" comment "Appraisal IP Group"
set group address "Untrust" "Appraisal IP Group" add "Appraisal1"
set group address "Untrust" "Appraisal IP Group" add "Appraisal2"
set group address "Untrust" "Appraisal IP Group" add "Appraisal3"
set group address "Untrust" "Appraisal IP Group" add "Appraisal4"
set group address "Untrust" "Appraisal IP Group" add "Appraisal5"
set group address "Untrust" "Appraisal IP Group" add "Appraisal6"
set group address "Untrust" "Appraisal IP Group" add "Appraisal7"
set group address "Untrust" "Appraisal IP Group" add "Appraisal8"
set group service "Intranet_WEB" comment " "
set group service "Intranet_WEB" add "HTTP"
set group service "Intranet_WEB" add "HTTPS"
set group service "Intranet_WEB" add "PING"
set group service "Intranet_WEB" add "Bridge"
set group service "Intranet_WEB" add "Servicing Download"
set group service "Intranet_WEB" add "MAIL"
set group service "Inbound_Mail" comment " "
set group service "Inbound_Mail" add "HTTP"
set group service "Inbound_Mail" add "MAIL"
set group service "Inbound_Mail" add "PING"
set group service "Inbound_Mail" add "POP3"
set group service "VPN to McD" comment " "
set group service "VPN to McD" add "TELNET"
set group service "VPN to McD" add "PING"
set group service "VPN to McD" add "MAIL"
set group service "VPN to McD" add "Servicing Download"
set group service "PCAny" comment " "
set group service "PCAny" add "PING"
set group service "PCAny" add "PC-Anywhere"
set group service "WEB2" comment "Webserver 2"
set group service "WEB2" add "HTTP"
set group service "WEB2" add "HTTPS"
set group service "WEB2" add "SSL Port-444"
set group service "WEB2" add "HTTP - 8088"
set group service "WEB2" add "HTTP - 81"
set group service "WEB2" add "FTP"
set group service "WEB2" add "FTP-Get"
set group service "WEB2" add "FTP-Put"
set group service "Appraisers" comment " "
set group service "Appraisers" add "POP3"
set group service "Appraisers" add "HTTP"
set group service "Appraisers" add "MAIL"
set group service "Appraisers" add "HTTPS"
set group service "Appraisers" add "DNS"
set group service "Internet" comment "All Internet Traffic"
set group service "Internet" add "AOL"
set group service "Internet" add "BGP"
set group service "Internet" add "DHCP-Relay"
set group service "Internet" add "DNS"
set group service "Internet" add "FINGER"
set group service "Internet" add "FTP"
set group service "Internet" add "FTP-Get"
set group service "Internet" add "FTP-Put"
set group service "Internet" add "GOPHER"
set group service "Internet" add "H.323"
set group service "Internet" add "HTTP"
set group service "Internet" add "HTTPS"
set group service "Internet" add "IRC"
set group service "Internet" add "NetMeeting"
set group service "Internet" add "PING"
set group service "Internet" add "Real Media"
set group service "Internet" add "FTP - BulletProof"
set group service "Internet" add "Secondary FTP"
set group service "Internet" add "Irene_5/3_Bank"
set group service "Everything But Internet 1" comment " "
set group service "Everything But Internet 1" add "BGP"
set group service "Everything But Internet 1" add "DHCP-Relay"
set group service "Everything But Internet 1" add "DNS"
set group service "Everything But Internet 1" add "FINGER"
set group service "Everything But Internet 1" add "GOPHER"
set group service "Everything But Internet 1" add "ICMP-INFO"
set group service "Everything But Internet 1" add "ICMP-TIMESTAMP"
set group service "Everything But Internet 1" add "IKE"
set group service "Everything But Internet 1" add "IMAP"
set group service "Everything But Internet 1" add "Internet Locator Service"
set group service "Everything But Internet 1" add "L2TP"
set group service "Everything But Internet 1" add "MAIL"
set group service "Everything But Internet 1" add "NetMeeting"
set group service "Everything But Internet 1" add "LDAP"
set group service "Everything But Internet 1" add "NFS"
set group service "Everything But Internet 1" add "NNTP"
set group service "Everything But Internet 1" add "NS Global"
set group service "Everything But Internet 1" add "NS Global PRO"
set group service "Everything But Internet 1" add "NTP"
set group service "Everything But Internet 1" add "OSPF"
set group service "Everything But Internet 1" add "PC-Anywhere"
set group service "Everything But Internet 1" add "PING"
set group service "Everything But Internet 1" add "POP3"
set group service "Everything But Internet 1" add "PPTP"
set group service "Everything But Internet 1" add "RIP"
set group service "Everything But Internet 1" add "RLOGIN"
set group service "Everything But Internet 1" add "SNMP"
set group service "Everything But Internet 1" add "SSH"
set group service "Everything But Internet 1" add "SYSLOG"
set group service "Everything But Internet 1" add "AOL"
set group service "Everything But Internet 1" add "Custom FTP 2121"
set group service "Everything But Internet 2" comment " "
set group service "Everything But Internet 2" add "TALK"
set group service "Everything But Internet 2" add "TCP-ANY"
set group service "Everything But Internet 2" add "TELNET"
set group service "Everything But Internet 2" add "TFTP"
set group service "Everything But Internet 2" add "TRACEROUTE"
set group service "Everything But Internet 2" add "UDP-ANY"
set group service "Everything But Internet 2" add "UUCP"
set group service "Everything But Internet 2" add "VDO Live"
set group service "Everything But Internet 2" add "WAIS"
set group service "Everything But Internet 2" add "WINFRAME"
set group service "Everything But Internet 2" add "X-WINDOWS"
set group service "Everything But Internet 2" add "Bridge"
set group service "Everything But Internet 2" add "Servicing Download"
set group service "Everything But Internet 2" add "Secondary FTP"
set group service "Everything But Internet 2" add "FTP - BulletProof"
set group service "Everything But Internet 2" add "Custom FTP 2121"
set group service "Inbound_Mail_CT" comment " "
set group service "Inbound_Mail_CT" add "HTTP"
set group service "Inbound_Mail_CT" add "HTTPS"
set group service "Inbound_Mail_CT" add "PING"
set group service "Inbound_Mail_CT" add "MAIL"
set group service "Inbound_Mail_CT" add "POP3"
set group service "WEB3" comment "Webserver 3 - Misc Web Services"
set group service "WEB3" add "HTTP"
set group service "WEB3" add "HTTPS"
set group service "WEB3" add "PING"
set group service "WEB3" add "FTP"
set group service "WEB3" add "FTP-Get"
set group service "WEB3" add "FTP-Put"
set group service "CSG Server" comment "Metaframe Secure Server"
set group service "CSG Server" add "HTTP"
set group service "CSG Server" add "HTTPS"
set group service "CSG Server" add "PING"
set group service "CSG Server" add "WINFRAME"
set group service "CSG Server" add "DNS"
set group service "CSG Server" add "ICMP-INFO"
set group service "CSG Server" add "ICMP-TIMESTAMP"
set ike p1-proposal "McDonald2" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p1-proposal "McDonald1" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p2-proposal "Mcdonald2" no-pfs ESP 3DES SHA-1 second 700
set ike p2-proposal "McDonald1" no-pfs ESP 3DES SHA-1 second 700
set ike gateway "McDonald2" ip 68.255.234.130 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald2"
set ike gateway "McDonald1" ip 209.49.254.226 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald1"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "McDonald2.1" id 20499 gateway "McDonald2" no-replay tunnel idletime 0 proposal "Mcdonald2"
set vpn "McDonald2.1" monitor
set vpn "McDonald1" id 20500 gateway "McDonald1" no-replay tunnel idletime 0 proposal "McDonald1"
set vpn "McDonald1" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set vpn-group id 2 vpn "McDonald2.1" weight 9
set vpn-group id 1 vpn "McDonald1" weight 10
set l2tp default dns1 10.10.0.10
set l2tp default dns2 10.10.0.10
set l2tp default ppp-auth chap
set policy id 18 name "McDonald1" from "Trust" to "Untrust" "Any" "McDonald1" "VPN to McD" nat dip-id 2 Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 16 name "McD_VPN2" from "Trust" to "Untrust" "Any" "McDonald2" "VPN to McD" nat dip-id 2 Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 49 name "IT Department Outbound" from "Trust" to "Untrust" "IT Department" "Any" "ANY" nat dip-id 2 Permit log
set policy id 19 name "McDonald1" from "Untrust" to "Trust" "McDonald1" "Any" "VPN to McD" Tunnel vpn-group 1 log traffic gbw 256 priority 0 mbw 256
set policy id 17 name "McD_VPN2" from "Untrust" to "Trust" "McDonald2" "Any" "VPN to McD" Tunnel vpn-group 2 log traffic gbw 256 priority 0 mbw 256
set policy id 21 name "Appraisal IP Pop" from "Untrust" to "Trust" "Appraisal IP Group" "MIP(64.108.190.116)" "Appraisers" nat dip-id 2 Permit log
set policy id 21 disable
set policy id 50 name "DMZ Incoming" from "Untrust" to "Trust" "Any" "MIP(64.108.190.124)" "CSG Server" Permit log
set policy id 35 name "Web Mail" from "Untrust" to "Trust" "Any" "MIP(64.108.190.116)" "Internet" nat dip-id 2 Permit log
set policy id 6 name "Mail" from "Untrust" to "Trust" "Any" "MIP(64.108.190.116)" "Inbound_Mail" Permit log
set policy id 27 name "HTTP Requests" from "Trust" to "Untrust" "ISA_Server_NICS" "Any" "Internet" nat dip-id 2 Permit log
set policy id 33 from "Trust" to "Untrust" "Shore_LAN" "Any" "Internet" Permit log
set policy id 33 disable
set policy id 28 name "ShareLAN_1" from "Trust" to "Untrust" "Shore_LAN" "Any" "Everything But Internet 1" nat dip-id 2 Permit log
set policy id 29 name "ShoreLAN_2" from "Trust" to "Untrust" "Shore_LAN" "Any" "Everything But Internet 2" nat dip-id 2 Permit log
set policy id 31 name "Citrix Test" from "Untrust" to "Trust" "Any" "MIP(64.108.190.118)" "Internet" nat dip-id 2 Permit log
set policy id 26 name "WEB 2" from "Untrust" to "Trust" "Any" "MIP(64.108.190.125)" "WEB2" nat dip-id 2 Permit log count
set policy id 44 name "WEB3" from "Untrust" to "Trust" "Any" "MIP(64.108.190.126)" "WEB3" nat dip-id 2 Permit log count
set policy id 46 name "UWM" from "Untrust" to "Trust" "Any" "MIP(64.108.190.115)" "Internet" nat dip-id 2 Permit log count
set policy id 47 name "Shore Website" from "Untrust" to "Trust" "Any" "MIP(64.108.190.119)" "Intranet_WEB" nat dip-id 2 Permit log count
set policy id 48 name "web.shoremortgage.com" from "Untrust" to "Trust" "Any" "MIP(64.108.190.114)" "Internet" nat dip-id 2 Permit log count
set policy id 37 name "Shore Tax" from "Untrust" to "Trust" "Any" "MIP(64.108.190.123)" "WEB2" nat dip-id 2 Permit log count
set policy id 42 name "esource.shoremortgage.com" from "Untrust" to "Trust" "Any" "MIP(64.108.190.122)" "Internet" nat dip-id 2 Permit log count
set policy id 51 name "Metaframe Srv's to CGS in " from "Trust" to "DMZ" "Metaframe Servers" "Secure Gateway Server" "ANY" nat dip-id 2 Permit log
set policy id 52 name "CSG DMZ Srv to Metaframe Srvs" from "DMZ" to "Trust" "Secure Gateway Server" "Metaframe Servers" "ANY" nat dip-id 2 Permit log
set global-pro policy-manager primary outgoing-interface ethernet3
set global-pro policy-manager secondary outgoing-interface ethernet3
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.10.0.10
set dns host dns2 10.10.0.8
set dns host schedule 12:00
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.10.10.62/32 interface ethernet1 gateway 10.10.0.1
exit
 
Upvote 0 Downvote
OK first thing the command unset console dbuf


1)unset console dbuf - directs the output from debug to the console in real-time. But creates more overhead. That's most likely why it crashed before .Should be
Set console dbuf – this default is recommended as it incurs least amount of overhead for the Netscreen.

2)set policy id 50 name "DMZ Incoming" from "Untrust" to "Trust" "Any" "MIP(64.108.190.124)" "CSG Server" Permit log . This is the only policy i see with your MIP for CSG service. But it's going from Untrust to Trust . It Should be Untrust to DMZ
DMZ to Untrust Any Any.


3)You just added this correct which is why your able to connect to the CSG from your Metaframe server right.


set policy id 51 name "Metaframe Srv's to CGS in " from "Trust" to "DMZ" "Metaframe Servers" "Secure Gateway Server" "ANY" nat dip-id 2 Permit log
set policy id 52 name "CSG DMZ Srv to Metaframe Srvs" from "DMZ" to "Trust" "Secure Gateway Server" "Metaframe Servers" "ANY" nat dip-id 2 Permit log

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
1) Did that and got a file back, couldn't find anything from the IP I am trying to access the CSG from

2) Set the policy like you said, same problem. Can't hit it.

set policy id 56 from "Untrust" to "DMZ" "Any" "Any" "ANY" Permit log
set policy id 57 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat dip-id 2 fix-port Permit log
set global-pro policy-manager primary outgoing-interface ethernet3
set global-pro policy-manager secondary outgoing-interface ethernet3

3) Yes that is correct


I'm on the verge of calling netscreen :/
 
Upvote 0 Downvote
Ok try this we need to get more information . Are you getting hits on the policy logs for
Untrust to DMZ ? If not that means some where the Netscreen packet flow is dropping that traffic somewhere for some reason. So far you configuration is correct

1)snoop direction both
2)snoop ethernet 0x0800
3)snoop ip ip 192.168.100.11
4)snoop ip port 3389



Once done please post the output of the snoop command.See if there is any sequence check errors. If so try this unset flow check tcp-rst-sequence. Still same issue post your problem to on for more help.

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
I did the snoop commands but got nothing back;

Shore-GW-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
Shore-GW-> snoop direction both
Shore-GW-> snoop ethernet 0x0800
Shore-GW-> snoop ip ip 192.168.100.11
Shore-GW-> snoop ip port 3389
Shore-GW->

Now the owner of the company got wind that this isn't working, this is bad
 
Upvote 0 Downvote
After doing that you need to try to connect to the CSG.Then issue the commands listed below. But for all of these commands to work you need to have set console dbuf command in your config.

1)snoop off

2)get dbuf steam

JNCIA/FWV,CCNP,CCNA,MCSE, MCP+I, A+
 
Upvote 0 Downvote
Got it working! Talked to a very knowledgable lady at netscreen and it turns out that the upgrade from 3.0.3 to 4.0.0 needed some changes. Everything we had was right except we needed to delete the DIP on eth2. Did that and everything started working again. Thanks for all the help, I really appreciate it!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
260
disturbedone
disturbedone
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
253
kythri
kythri
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
174
joepc
joepc
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
404
quazimotto
quazimotto
J001
  • Locked
  • Question
Checkpoint Upgrade Question
Replies
0
Views
154
J001
J001

Part and Inventory Search

Sponsor

Back
Top