Re: Routing on Netscreen 5XP

In article <dcd5j6$q2i$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com>,
Ben <bjblackmore@xyz.hotmail.com> wrote:
>Hi,
>
>I'm trying to setup a basic DMZ for 1 PC that we need on the network, but
>not on 'our' network, so to speak (it's another companies laptop, and we
>don't know if it has viruses/spyware etc).
>
>We run an internal ip of 192.168.0.0/24, and we have an ADSL router modem,
>with 1 ethernet port on the back, (ip address 192.168.0.1), this is
>connected to our switch, and everyone in the office uses it as their default
>gateway to connect out through. Now I need to allow a PC, that we need to
>keep off our network, access to the internet.
>
>The IP address of this PC is 10.0.0.10/8, I've connected it to the untrust
>port on a netscreen 5xp, and configured that port with the ip of 10.0.0.1.
>Then I've connected the netscreen trust port to the office switch, and added
>an ip address of 192.168.0.2. Now I need to be able to get the quarantined
>laptop to connect out through the netscreen, through the ADSL modem.
>
>You can configure routing through the netscreen, but I'm unsure of the exact
>configuration, should the ports use NAT or routing? How do I configure the
>routing table?

        Pretty straightforward...(I changed the 10 'net from a /8 to a /24)

        set interface trust ip 192.168.0.2/24
        set interface untrust ip 10.0.0.1/24
        set route 0.0.0.0/0 interface trust gateway 192.168.0.1
        set policy id 7 from "Untrust" to "Trust" "10.0.0.10" "192.168.0.1/32" "ANY" nat src permit log

        This allows 10.0.0.10 to go to your gateway. This is NATed to
        the source of the 5XP (192.168.0.2) so it'll route to the gateway.
        Note there is a default ANY/ANY rule from trust to untrust.
        You may want to disable this.

                                        alan
Received on Thu Sep 29 20:00:02 2005