Netscreen config question

David Klein dklein at NETSCREEN.COM
Mon Apr 16 12:18:58 EDT 2001 

All routers need a default gateway (or a dynamic routing protocol).  The
Netscreens do not support dynamic routing protocols.  Therefore you need to
put the next routing hop in the default gateway field of the untrust
interface.  I.e., this would be the router (IP address) that the Netscreen
uses to get to the "rest of the internet".

If you are sticking this box on a DSL or Cable Modem, then the access
provider should have provided you with your default gateway.

If your DSL/CM does DHCP or PPPoE then it should pick this up automatically
(if you enable DHCP or PPPoE on the untrust interface).

If you are just putting this in a test lab and there is no default router to
"elsewhere" then stick any IP address off of that external/untrust subnet as
the default gateway (other then it's own).  In general, a router does NOT
want a default route to itself even though other systems may use it as a
default route.


> It's a router -- it shouldn't need a default gateway.

Not true - all routers need a default gateway (or at least a routing table
of all subnets it will forward packets to).


> Is it acceptable to
> supply all zeros as the untrusted default gateway?

Certainly, but you'll only be able to route packets between the two directly
attached network segments unless you put specific static routes for other
networks in the routing table.

Do a "set route ?" for more detail on that in the Command Line.

Dave Klein
Netscreen SE


> -----Original Message-----
> From: David Newman [mailto:dnewman at NETWORKTEST.COM]
> Sent: Monday, April 16, 2001 9:14 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: Netscreen config question
>
>
> I'm looking to configure a Netscreen-5 as both router and VPN
> gateway. The
> trusted interface uses a private address with no problem.
> The untrusted
> side is asking for both an address and default gateway, and
> it will NOT
> accept identical entries here.
>
> It's a router -- it shouldn't need a default gateway. Is it
> acceptable to
> supply all zeros as the untrusted default gateway?
>
> Thanks.
>
> David Newman
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list