Ben, If you get hung up call me. I have three netscreen that I actively work with and we can compare, but Ben is right on the money with MIP and VIP. Their menu layout is a bit...convoluted and the CLI is very diff from most others, at least for me.
At your disposal. Besides I have VMware questions to ask you about. I hate Broadcom, SP2, and TOE. Its like a crap shoot with the config on the cards. I think I got it, but sheesh, its 3am and I finally got throughput on VMWare server working. I think.. Church is gonna come early.. -----Original Message----- From: Benjamin Zachary [mailto:[EMAIL PROTECTED] Sent: Friday, December 21, 2007 10:20 PM To: NT System Admin Issues Subject: RE: netscreens Yeah that's what I was thinking. Looks like there is several ways to skin a cat here, but the listen 1-65000 doesn't seem right. I went onto their support site and the only thing I found was hosting ipsec behind the device and guess what it listens on 1-65000 source in their documentation. Strange indeed. Ill get it resolved its not a big issue Im just hoping this can do the vpn tunnel nat like it says it can :) -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Friday, December 21, 2007 9:46 PM To: NT System Admin Issues Subject: Re: netscreens On Dec 21, 2007 4:16 PM, Benjamin Zachary <[EMAIL PROTECTED]> wrote: > Is it me or are netscreens a pita to do NAT mapping Hmmm. It's been about four years, but I don't recall it being *that* hard. > MIP,VIP and everything else I As I recall, MIP is basically just a static one-to-one NAT for a host, such hat a given outside IP address is equivilent to a given inside IP address. VIP is more like the port forwarding you get with a SOHO router: One outside IP address mapping different services to different inside IP addresses. > I can only get 1 of the services to work because I have to set it to listen > from 1-65000 listen and fwd to a single port. As I recall, this required three things: Defining the services (which you could use in any number of places); defining the static one-to-one NAT mapping; creating a policy rule to allow the services for that mapping. The specific commands I don't recall, and they've probably changed things since then anyway. But make sure you've done each thing, and that each is right. For example, the "1-65000 listen" sounds wrong to me, so maybe it's not your NAT rule that is wrong, per se, but the service definition. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
