Re: [nn] Netscreen 50

To:	<mahesh@tiscali.co.uk>, "'jofin joseph'" <jofin_joseph@rediffmail.com>, Netscreen Mailing List <nn@qorbit.net>
Subject:	Re: [nn] Netscreen 50
From:	Stephen Gill <gillsr@cymru.com>
Date:	Thu, 16 Nov 2006 05:23:03 -0700
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<54l68l$72uu61@mk-ironport-4.mail.uk.tiscali.com>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
Sender:	nn-bounces@qorbit.net
Thread-index:	AccJVGr56G/sQR1ATUCgZ8E6rqFMVgAHWB3AAAIKs0c=
Thread-topic:	[nn] Netscreen 50
User-agent:	Microsoft-Entourage/11.2.5.060620

For starters, my rule of thumb number 1 for netscreens is to NEVER EVER use
the ?nat on the interface¹ button.  I wish they would remove this feature
all together.  Only in rarer cases should you need to do this on a per
interface basis.  It makes much more sense to do this at the policy and
routing level.

It sounds as if you need to debug your problem at a lower level.  What you
need to ask is what at the TCP level or lower is causing the connectivity
issue.  A few questions to get started:

- does the firewall have appropriate ARP entries for both sides
- does the client have appropriate ARP entries for both sides
- can the client get to the firewall at the IP level
- can the firewall get to the outside at the IP level
- do some services work and not others
- does the switch have appropriate CAM / MAC entries for the devices in
question
- what do the relevant connection table entries look like when the traffic
is working v. NOT working
- is the firewall dropping any traffic when it is not working (see logs and
'debug flow basic'
- etc.

Cheers,
-- steve



From: Mahesh <mahesh@tiscali.co.uk>
Reply-To: <mahesh@tiscali.co.uk>
Date: Thu, 16 Nov 2006 11:44:17 -0000
To: 'jofin  joseph' <jofin_joseph@rediffmail.com>, <nn@qorbit.net>
Subject: Re: [nn] Netscreen 50

Jofin,
 
Try setting your outgoing interface to route and your internal interface to
NAT for starters.
 
Regards
-Mahesh
 
 


From: nn-bounces@qorbit.net [mailto:nn-bounces@qorbit.net] On Behalf Of
jofin joseph
Sent: 16 November 2006 07:07
To: nn@qorbit.net
Cc: jofin_josephrediff
Subject: [nn] Netscreen 50
 
  
Dear All,

            I have a Netscreen 50 firewall, in which NATing enabled on
outgoing interface. I have NAted (MIP) some of my internal with pubic IPs.
Every day morning I faces connectivity problems with public IPs. Then I will
have to continously ping to the public IP; after 10-15 RTOs it will start
pinging and will be able to access all services using the public IP. Can you
guys please help me to resolve the issue ?

Kindly revert in case you need any information.

Thanks
Jofin



 <http://adworks.rediff.com/cgi-bin/AdWorks/sigclick.cgi/www.rediff.com/sign
ature-home.htm/1507191490@Middle5?PARTNER=3>


_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn


_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] Netscreen 50, jofin joseph Re: [nn] Netscreen 50, Mahesh Re: [nn] Netscreen 50, Stephen Gill <= Re: [nn] Netscreen 50, Mahesh Re: [nn] Netscreen 50, Stephen Gill Re: [nn] Netscreen 50, Mahesh

Previous by Date:	Re: [nn] Netscreen 50, Mahesh
Next by Date:	Re: [nn] Netscreen 50, Mahesh
Previous by Thread:	Re: [nn] Netscreen 50, Mahesh
Next by Thread:	Re: [nn] Netscreen 50, Mahesh
Indexes:	[Date] [Thread] [Top] [All Lists]