Hi Steve,
Are you suggesting that if I had a Netscreen with a Trust and an Untrust
interface, with private addressing on the Trust side, that I should set both
interface modes to route? That would mean setting each and every outbound
policy to NAT.
Although I'm sure you have a valid reason why I don't see why you are so
against NAT mode on an interface.
Best regards
-Mahesh
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr@cymru.com]
> Sent: 16 November 2006 12:23
> To: mahesh@tiscali.co.uk; 'jofin joseph'; Netscreen Mailing List
> Subject: Re: [nn] Netscreen 50
>
> For starters, my rule of thumb number 1 for netscreens is to NEVER EVER
> use
> the Œnat on the interface¹ button. I wish they would remove this feature
> all together. Only in rarer cases should you need to do this on a per
> interface basis. It makes much more sense to do this at the policy and
> routing level.
>
> It sounds as if you need to debug your problem at a lower level. What you
> need to ask is what at the TCP level or lower is causing the connectivity
> issue. A few questions to get started:
>
> - does the firewall have appropriate ARP entries for both sides
> - does the client have appropriate ARP entries for both sides
> - can the client get to the firewall at the IP level
> - can the firewall get to the outside at the IP level
> - do some services work and not others
> - does the switch have appropriate CAM / MAC entries for the devices in
> question
> - what do the relevant connection table entries look like when the traffic
> is working v. NOT working
> - is the firewall dropping any traffic when it is not working (see logs
> and
> 'debug flow basic'
> - etc.
>
> Cheers,
> -- steve
>
>
>
> From: Mahesh <mahesh@tiscali.co.uk>
> Reply-To: <mahesh@tiscali.co.uk>
> Date: Thu, 16 Nov 2006 11:44:17 -0000
> To: 'jofin joseph' <jofin_joseph@rediffmail.com>, <nn@qorbit.net>
> Subject: Re: [nn] Netscreen 50
>
> Jofin,
>
> Try setting your outgoing interface to route and your internal interface
> to
> NAT for starters.
>
> Regards
> -Mahesh
>
>
>
>
> From: nn-bounces@qorbit.net [mailto:nn-bounces@qorbit.net] On Behalf Of
> jofin joseph
> Sent: 16 November 2006 07:07
> To: nn@qorbit.net
> Cc: jofin_josephrediff
> Subject: [nn] Netscreen 50
>
>
> Dear All,
>
> I have a Netscreen 50 firewall, in which NATing enabled on
> outgoing interface. I have NAted (MIP) some of my internal with pubic IPs.
> Every day morning I faces connectivity problems with public IPs. Then I
> will
> have to continously ping to the public IP; after 10-15 RTOs it will start
> pinging and will be able to access all services using the public IP. Can
> you
> guys please help me to resolve the issue ?
>
> Kindly revert in case you need any information.
>
> Thanks
> Jofin
>
>
>
> <http://adworks.rediff.com/cgi-
> bin/AdWorks/sigclick.cgi/www.rediff.com/sign
> ature-home.htm/1507191490@Middle5?PARTNER=3>
>
>
> _______________________________________________
> nn mailing list
> nn@qorbit.net
> http://qorbit.net/mailman/listinfo/nn
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
|