Re: Netscreen 25 blocking Backup Server

<I__Alone@hotmail.com> wrote in message
news:1133275068.029975.129230@g44g2000cwa.googlegroups.com...
> My company just purchased a disk based backup server (Unitrends DPU
> 2000) and it was installed on our LAN. Our LAN is connected to the
> Trust Zone on a Netscreen 25 (Hardware Version 4010(0) Firmware
> Version: 5.0.0 r 8.0). We have an SMTP Server connected to the DMZ
> Zone on the same Netscreen 25.
>
> When the Backup Server attempts to run a backup on the SMTP server, I
> get a "partial connection check IP filters/firewall" error. Even with
> a policy allowing all traffic between the 2 zones, I get this error.
> Backups on servers in the Trust Zone run fine, so I've narrowed the
> problem down to the netscreen.
>
> The Backup Server uses 2 ports during operation, 1743 for a "control
> channel" and 1744 for a "data channel". In viewing the error logs on
> the back up server I find the following "Cannot connect to IP
> XXX.XXX.XXX.XXX port 1743 Address is in use for channel 1743. <**
> UNABLE TO BIND**> channel 1743.
>
> What is the problem I am not seeing?
>
> Any help would be appreciated. Thanks
>
> Scott

You're probably NATing out of your trust zone, perhaps because you have NAT
on that interface. The backup software probably tries to connect back to
the backup server directly, which since you're NAT'ed ends up talking to the
DMZ IP of the firewall.

If you want to run NAT into the DMZ with this setup you'll need a VIP for
that sevice.

The better solution is to turn NAT off on the interface, enable it on the
trust -> untrust policies, and leave it off for the trust -> dmz policies.
Same for dmz -> trust policies, you probably don't want or need NAT that
way, depending on you architecture.

That's a bit of a guess though, what you really need to do is a flow debug
and see exactly what the NS is doing with it.

-Russ.
Received on Sat Dec 3 04:18:53 2005