Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie

To:	"thomasss@becyber.be" <thomasss@becyber.be>
Subject:	Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie
From:	dh <rugby@secureyournet.ca>
Date:	Sat, 04 Nov 2006 11:13:37 -0500
Cc:	nn@qorbit.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<454C5979.8010605@becyber.be>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
References:	<8ed96bfc0611031827i529cb957scac5e937eb005047@mail.gmail.com> <454C5979.8010605@becyber.be>
Sender:	nn-bounces@qorbit.net
User-agent:	Thunderbird 1.5.0.7 (Windows/20060909)

Thomas, this is mostly correct. My correction is listed below starting with DH>

thomasss@becyber.be wrote:

Hello,

To do what you want you need to do two step :
Port forwarding and firewall allowing traffic.

To forward a port from WAN to LAN, I think the best is to use VIP.

Go under the interface configuration, go to untrust interface, select VIP on the top of the page and click "New".
A new windows with usefull field will open.
For the public IP, select Untrust interface IP
For private IP put the internal IP of your web server
Put also the public and private port for your web server.
You need to do it twice, once for http and once for https.

Then you need to go on the policy tat and create a new rule from untrust to trust.
On the top of the page, select "from untrust" and "to trust" then click new.
A windows will open, fill in the field with required value :
from : any
to : internal IP ofr web server

DH> to "VIP", not the internal IP of the server.

service(s) : ports you want to allow
action : accept

I don't have a netscreen under the hand, so eveything I wrote is by memory...
But I think it must be ok like that.

Good luck and nice week-end to all readers

Tom

kimry wrote:
Hi there,

Is there a very simple tutorial for newbies to configure NetScreen-5GT
Untrust to trust policy is my problem
"I don't know where to start,
is there routing entries involved? or the trust to untrust routing would do the job? "I've no problem going out through the firewall""
"My overall configuration is Untrust & trust mode"
I want to DNAT whatever HTTP/HTTPS comes to the Untrust interface to be forwarded to a web server
untrust_ip 1.2.3.4
trust_ip 192.168.1.1
WebServer 192.168.1.111 "No DNS involved for now, I just want to see It Works page :)"
I'm pretty sure that setting policy itself is not a problem.. but should I modify a service?
cause what about the firewall UI if I allow passing HTTP request from 1.2.3.4 to 192.168.1.1 then DNAT it to 192.168.1.111

Best Regards,
--
_________________________________

Basem Elkimry
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
  
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
  

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] NetScreen-5GT "Untrust to Trust Policy" --newbie, kimry Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie, thomasss@becyber.be Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie, dh <=

Previous by Date:	Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie, thomasss@becyber.be
Next by Date:	[nn] VPN tunnel on subinterface, Teet
Previous by Thread:	Re: [nn] NetScreen-5GT "Untrust to Trust Policy" --newbie, thomasss@becyber.be
Next by Thread:	[nn] VPN tunnel on subinterface, Teet
Indexes:	[Date] [Thread] [Top] [All Lists]