Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Open ports for NTP on Netscreen 5XP

Status
Not open for further replies.
stussy

stussy

MIS
May 22, 2003
269
GB
Arghhhh this is driving me nuts!

I am trying to allow a win 2003 server to get time updates from an internet source. I'm trying to configure the firewall to forward port 123 info to 10.0.0.5

I've mimicked several WORKING port forwards, including pcanywhere and rdp, which have worked perfectly well for years, but nothing can get through on 123!

I've included our config below, if anyone can help I'll buy you a virtual beer!

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set clock ntp
set clock "timezone" 0
set admin format dos
set admin name "admin"
set admin password xxxxxxxxxxxxxxxx
set admin user "xxxx" password "xxxxxxxxx" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set service "PCANY" protocol tcp src-port 0-65535 dst-port 5631-5631 group "other"
set service "PCADATA" protocol tcp src-port 0-65535 dst-port 5632-5632 group "other"
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 group "other"
set service "CAMERAS" protocol tcp src-port 0-65535 dst-port 80-80 group "other"
set service "SNTP" protocol udp src-port 0-65535 dst-port 123-123 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.0.1/24
set interface trust nat
set interface untrust ip xx.xx.xx.xx/28
set interface untrust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage telnet
set interface untrust manage web
set interface untrust vip untrust 25 MAIL 10.0.0.1
set interface untrust vip untrust 110 POP3 10.0.0.1
set interface untrust vip untrust 5631 PCANY 10.0.0.108
set interface untrust vip untrust 5632 PCADATA 10.0.0.108
set interface untrust vip untrust 3389 RDP 10.0.0.105
set interface untrust vip untrust 123 SNTP 10.0.0.5
set flow tcp-mss
set hostname Longacres
set ntp server "ntp0.uk.uu.net"
set ntp interval 15
set address "Trust" "10.0.0.4" 10.0.0.4 255.255.255.255 "Created by vpn wizard"
set address "Trust" "10.0.0.4_0" 10.0.0.4 255.255.255.255 "Created by vpn wizard"
set address "Trust" "10.0.0.73" 10.0.0.73 255.255.255.0 "Created by vpn wizard"
set address "Global" "10.0.0.5/24" 10.0.0.5 255.255.255.0
set snmp name "xxxxxxx"
set ike policy-checking
set ike respond-bad-spi 1
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 2 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "POP3" Permit
set policy id 1 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "MAIL" Permit
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" Permit log
set policy id 3 from "Untrust" to "Trust" "Any" "Any" "ANY" Permit
set policy id 4 from "Untrust" to "Trust" "Any" "Any" "PCANY" Permit
set policy id 5 from "Untrust" to "Global" "Any" "VIP::1" "PCANY" Permit
set policy id 6 from "Untrust" to "Global" "Any" "VIP::1" "PCADATA" Permit
set policy id 9 from "Untrust" to "Global" "Any" "VIP::1" "SNTP" Permit
set policy id 7 from "Untrust" to "Global" "Any" "VIP::1" "RDP" Permit
set policy id 8 from "Untrust" to "Global" "Any" "VIP::1" "CAMERAS" Permit
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set dns host dns1 195.184.228.6
set dns host dns2 195.184.228.7
set dns host schedule 00:00
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway xxxxxx
set route 11.0.0.0/24 interface trust gateway 10.0.0.180
set route 192.168.168.0/24 interface trust gateway 10.0.0.1
exit
 
Sort by date Sort by votes
Maybe there is more involved here. Try debug flow basic with flow filters to and from NTP server on Internet to see if anything is getting dropped or misrouted.

set ff src-ip <IP of time source>
set ff dst-ip <IP of time source>
debug flow basic
cl db

# Capture instance of time update attempt

undebug all
get db stream

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
798
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
676
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
983
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
268
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top