Google Answers Logo
View Question
 
Q: NAT Port Forwarding w/Netscreen 5 Series (5XP, 5GT) VIP ( No Answer,   1 Comment )
Question  
Subject: NAT Port Forwarding w/Netscreen 5 Series (5XP, 5GT) VIP
Category: Computers > Internet
Asked by: rmckenzie-ga
List Price: $10.00
Posted: 17 Sep 2006 00:35 PDT
Expires: 17 Oct 2006 00:35 PDT
Question ID: 766011
I have a Netscreen 5XP router running ScreenOS 5.3.0r1.0.  Behind that
router, I'm running a server that I had previously port-mapped with my
former router, and it worked great.

I've attempted to recreate this same configuration with the Netscreen
5XT a dozen different ways, never with any luck.  No errors, no
problems -- traffic just doesn't arrive.

This article: http://www.azureuswiki.com/index.php/Router_configuration#Juniper_Networks_Netscreen_5GT
is good; however, while I can successfully replicate the steps in the
article, they do not work.

All IP ports in the OS (WinXP Pro) are open (no firewall in OS, etc)
and this is not the issue (I'm testing it fine through alternate
routers).  Using a flat-out DMZ is one workaround, but I would prefer
to get the NAT Port Forwarding working instead.

I'm starting to wonder if the problem relates to using DHCP on the
UNTRUST side (e.g. I'm not able to declare a static IP on the UNTRUST;
however, I'm using the appropriate syntax to define that, and
Netscreen does support this).

This is just one example of the four step process I'm using to
configure the port forwarding (sending in CLI form, as it is the more
straightforward to understand).  First, enabling Multi-Port (just a
suggestion I've tried after other options didn't work) ... Next
creating a custom service, then creating that service as a VIP on the
Untrust side, then setting the policy to allow it incoming (outgoing
policy is 100% open):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 
set vip multi-port
save
reset
set service "Torrent" protocol tcp src-port 50001-50001 dst-port
50001-50001 group "Other"
set interface untrust vip untrust 50001 "Torrent" 10.10.10.10
set policy incoming "Outside Any" VIP::1 "Torrent" Permit
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Thank you!
Answer  
There is no answer at this time.

Comments  
Subject: Re: NAT Port Forwarding w/Netscreen 5 Series (5XP, 5GT) VIP
From: jaxboy-ga on 04 Oct 2006 19:44 PDT
 
Change the src-port values to 1024-65535 to allow any and all ports
attempting to access port 50001 in.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy