I have a Netscreen 5XP router running ScreenOS 5.3.0r1.0. Behind that
router, I'm running a server that I had previously port-mapped with my
former router, and it worked great.
I've attempted to recreate this same configuration with the Netscreen
5XT a dozen different ways, never with any luck. No errors, no
problems -- traffic just doesn't arrive.
This article: http://www.azureuswiki.com/index.php/Router_configuration#Juniper_Networks_Netscreen_5GT
is good; however, while I can successfully replicate the steps in the
article, they do not work.
All IP ports in the OS (WinXP Pro) are open (no firewall in OS, etc)
and this is not the issue (I'm testing it fine through alternate
routers). Using a flat-out DMZ is one workaround, but I would prefer
to get the NAT Port Forwarding working instead.
I'm starting to wonder if the problem relates to using DHCP on the
UNTRUST side (e.g. I'm not able to declare a static IP on the UNTRUST;
however, I'm using the appropriate syntax to define that, and
Netscreen does support this).
This is just one example of the four step process I'm using to
configure the port forwarding (sending in CLI form, as it is the more
straightforward to understand). First, enabling Multi-Port (just a
suggestion I've tried after other options didn't work) ... Next
creating a custom service, then creating that service as a VIP on the
Untrust side, then setting the policy to allow it incoming (outgoing
policy is 100% open):
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
set vip multi-port
save
reset
set service "Torrent" protocol tcp src-port 50001-50001 dst-port
50001-50001 group "Other"
set interface untrust vip untrust 50001 "Torrent" 10.10.10.10
set policy incoming "Outside Any" VIP::1 "Torrent" Permit
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thank you! |
