While setting up a Netscreen 5GT, I ran into a bit of a perplexing issue.
Some background:
I was setting up the 5GT to do interface NAT from the Trust interface to the Untrust interface, with one caveat. I wanted to be able to Ssh from the Untrust interface to a machine on the Trust interface. Simple VIP (Virtual IP) right? Yes and no. In this case, since I had only 1 IP to play with on the Untrust interface, I setup the VIP on the Untrust IP itself.
The problem: when trying to create a VIP service (Network -> Interface -> Edit -> VIP/VIP Services, click on New VIP Service) with the Ssh port (22) on the same IP as the Untrust interface, it balks with the error message: "Service (port=22) not supported for this vip 192.168.1.1". WTF?
Turns out, that even though the Ssh management wasn't enabled on the Untrust interface, it still had the port reserved, such that I couldn't create a VIP service on that port. In order to get this to work, I had to change the Ssh port on the management (still disabled mind you) settings to 2222, so that I could then create the VIP service. To do this, in the WebUI, click on Configuration -> Admin -> Management, and change the Ssh port. If you wish to serve port 80 in a similar fashion, you'll need to change the HTTP port as well.
UPDATE: A reader (wow, someone actually reads this mindless drivel!) pointed out that this alone doesn't fix the problem, as you also need to create a policy rule that allows the Ssh traffic to pass through. In the
WebUI, click on Policies. Set the drop down boxes at the top of the page to:
From:
Untrust To:
Trustand click on New (in the right hand corner). Name the Policy something meaningful, and set the Source address to (ideally) a list of
subnets to allow access from. Set the destination address to the VIP interface that you created (for me VIP::1), set the Service to SSH, and make sure the Action is set to Permit. Adjust other settings as
necessary for your environment.
Enjoy.
Labels: NAT, Netscreen, Ssh, VIP
