Static Route - Single IP

[airbourne]

I have a lab setup to help me understand netscreen firewalls. I want to be able to PING from PC1 to PC2 and get a response. Both firewalls have been reset and ANY ANY rules are unable from TRUST to UNTRUST. I have PING enabled (checked via GUI) on both the TRUST and UNTRUST on both firewalls.

The network looks like this:

PC1 = 10.1.4.100/24 (gw = 10.1.4.102)
NETSCREEN_5xt(1) TRUST = 10.1.1.102/24
NETSCREEN_5xt(1) UNTRUST = 192.168.10.1/24

NETSCREEN_5xt(2) UNTRUST = 192.168.10.2/24
NETSCREEN_5xt(2) TRUST = 10.70.70.102/24
PC2 = 10.70.70.101/24 (gw = 10.70.70.102)

From PC1 I can ping the NS(1) TRUST & UNTRUST, and the NS(2) UNTRUST. I cannot ping the NS(2) TRUST or PC2.

From PC2 I can ping the NS(2) TRUST & UNTRUST and the NS(1) UNTRUST. I cannot ping the NS(1) TRUST or PC1.

I do not have a default gateway at this time because I do not want any other traffic being routed except between these two computers.

I have created a static route on each firewall using this command:

(on NS1)
set route 10.70.70.101/32 interface untrust gateway 192.168.10.2

(on NS2)
set route 10.1.4.100/32 interface untrust gateway 192.168.10.1

I know it is probably something simple, but what am I missing? Why can't I ping the far network from either location but can ping up to the untrusted interface of the far netscreen?

 

[Packet7]

Hi,

It sounds like you have the correct outbound policy, NAT and routing in place. However, you might be missing an inbound policy. The Untrust interface is bound to the "Untrust" zone. So, you will need a Untrust to Trust Policy on each box. Is this a lab environment? If so, no need to worry about address objects, you can add source = any, zone = untrust, destination = any, zone = trust. Hope this helps.

Rgds,

John

 

[airbourne]

Thank worked thank you. Once I had the rule in place I was able to ping as needed and then able to play around with setting up a VPN tunnel. Thanks again.

 

[Packet7]

I'm glad it worked.

Rgds,

John