Re: Netscreen-10 DMZ


"Dave Sunter" <drevil2002@xxxxxxxxx> wrote in message
news:cH6Xf.12255$g76.10356@xxxxxxxxxxxxxxxxxxxxxxx
Morning Guys & Girls

I hope someone can answer me a quick question.

I am wanting to use the DMZ to test a new 2mb internet connection in my
office. I can't use the trusted port as this is already been used to
supply the office with the current internet connection and mail.

I have configured the DMZ to the settings of the new router and setup a
profile for HTTP Access from my machine to the DMZ.

Problem is it doesn't seem to do anything.

Now maybe I've got the completely wrong end of the stick about the DMZ so
excuse me I have, but I thought you could set it up as an additional
access to the Web / Mail server etc.

The only time I get a entry in the log is if I try to access the Routers
IP address from Internet Explorer....any other traffic I.E. HTTP does not
register and it doesn't even look like it routes towards the DMZ.....no
orange data light on the DMZ on the Netscreen.

Could anybody please point me in the right direction (apart from the door,
lol) on how I can test this New connection with the Netscreens DMZ.

Many Thanks and sorry for the longwinded post.

Dave :)

Basically what you're trying to do is a policy route, in other words, to
send only http traffic out a different interface than it would normally
route out to. You can't do this with the version 3 firmware on your NS10.

All you can do is route out to specific IP's. So, if you know of a
particular destination server, you can add a static route for that IP to the
NS10's routing table and have it exit out the DMZ interface. Then, traffic
destined for that IP will be routed to that interface. Then, you need a
policy from trust -->DMZ source <inside LAN> dest <the destination IP>
service HTTP to permit the traffic.

As it is, you didn't mention a route, but it looks like you're not routing
anything to that interface. The traffic bound for the othere router's IP
works because that IP is in the subnet of the IP of the DMZ interface, which
is a connected route automatically placed in the routing table.

-Russ.


.

Relevant Pages

  • [OT] Default Route
    ... Switch ist als Route ins Internet ein Gateway angegeben, ... in die DMZ konfiguriert werden um in die DMZ zu kommen? ... internes Interface: 192.168.110.150 ... Next by Date: ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: Pix Outside NAT
    ... Does that mean if i have an outside int and a DMZ int both connecting ... dmz it will route to the natted ip's (ie a pool of addresses from the ... DMZ subnet) and then NAT and forward out teh DMZ int? ...
    (comp.dcom.sys.cisco)
  • Re: ISA + DMZ Server ( hier CSG)
    ... > wie ist denn das Netzwerkverhaeltnis zwischen DMZ und internen LAN? ... > Nutzt Du NAT oder ROUTE? ... > aber der Port 2598 fuer die Session Reliablity und der ICA Port 1494 ...
    (microsoft.public.de.german.isaserver)
  • Re: Using netmask ffffffff
    ... The use of the term DMZ is not really appropriate here, ... a DMZ allows external computers to connect to and access ... The remainder of the concept (no route to the rest of the LAN) makes ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Umkreisnetz keine Verbindung ins interne
    ... geht jetzt nach der Umstellung von NAT auf Route. ... "Jens Baier" schrieb im Newsbeitrag ... > das Default Template erstellt ne NAT Beziehung zwischen DMZ und Internal. ... > Gruss Jens ...
    (microsoft.public.de.german.isaserver)