Byron,
I did setup a MIP that mapped the untrusted interface's IP to the system IP,
but that did not work for me. :(
Also, it is my understanding that you have to web/telnet to the system IP,
you cannot web/telnet to any interface IP. Is that correct?
I'll try the ssh suggestion.
Thanks for your reply.
Devon
>Hi Devon,
>
>don't set the system ip address to be on the public/untrusted interface.
>Routing will be easier the way you have it.
>
>The reason you can't connect from the untrusted network to the trusted
>interface is because you have a firewall policy that is preventing you (no
>mip) - and that is a good thing. If you need web admin access from the
>public/untrusted side short-term - just set telnet and/or web access on the
>untrusted interface (check boxes in the gui - interface page) or via cli.
>As a long-term solution I would only use ssh to the untrusted side, or
>create a vpn tunnel (with nsremote, or another ipsec client)and come in to
>the trusted interface.
>
>hope that helps. let me know if you still are having trouble.
>
>cheers.byron
>
>-----Original Message-----
>From: Devon True [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 5:32 PM
>To: [EMAIL PROTECTED]
>Subject: Netscreen 5: Access to System IP with NAT Mode from untrusted
>side
>
>
>All:
>
>We have a Netscreen 5 in NAT mode. The untrusted interface is 10.10.10.1
>(changed to protect the innocent) and the trusted interface is
>192.168.1.254. The system IP is also 192.168.1.254.
>
>If I am on the trusted side, I can web/telnet to 192.168.1.254. However, if
>I am on the untrusted side, I cannot browse to 192.168.1.254 due to it not
>being in the routing table. I could go to any 10.10.10.0/24 addresses since
>that is in the routing table.
>
>Is it possible for me to map the 10.10.10.1 address to 192.168.1.254 so
>that
>
>I can configure the Netscreen from the untrusted side? I have tried several
>things, but everything fails.
>
>Another question is, what are the constraints on the system IP address?
>Does
>
>it have to exist in the trusted interface's IP network? Or can it be an IP
>from the untrusted interface's network?
>
>Thanks for your help!
>
>Devon
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
