Netscreen 25 DMZ Routing

Hi Folks!

I have a netscreen 25 (Inknow its old, but it does the job) and I
would like to do DMZ routing.

The boxes in the DMZ need to have public routed IP-s (NO MIP,VIP
solutions please) due to a VOIP config that only allows one NAT hop
and the users need that for their home:)

I have an IP subnet of /28 which I have divided into two 29/s and
the upper part of the /29 is in the DMZ. I also asked the ISP to
divide the subnet into two in the upstream T1, that they manage and
route the 40/29 subnet trough gateway 207.x.y.35 (Which as you can see
is my public IP for the NS25 untrusted eth2).

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN
State VSD
eth1 192.168.100.253/24 Trust 0010.db90.9650 -
U -
eth2 207.x.y.35/29 Untrust 0010.db90.9655 - U -
eth4 207.x.y.239.41/29 DMZ 0010.db90.9657 -
U -

Note eth2 and eth4.

The NAT boxes from my eth1 can talk to the guys in the DMZ zone, but
I cannot get traffic coming from eth2 outside world to reach my box
with the IP of 207.x.y.42 or 43. The netscreen itself (207.x.y.41)
responds to the ping from outside for the IP of 41 but nothing else
from that subnet.

What am I missing?

Heres the relevant part of my routing table on NS25
CPM-MDFW-02-> get route
C - Connected, S - Static, A - Auto-Exported, I - Imported, R - RIP
untrust-vr (1 entries)
------------------------------------------------------------ --------------------
ID IP-Prefix Interface Gateway P Pref
Mtr Vsys
------------------------------------------------------------ --------------------
* 3 207.x.y.40/29 eth4 0.0.0.0 S 20
1 Root
trust-vr (9 entries)
------------------------------------------------------------ --------------------
ID IP-Prefix Interface Gateway P Pref
Mtr Vsys
------------------------------------------------------------ --------------------
* 25 0.0.0.0/0 eth2 207.x.y.33 S 20
1 Root
* 30 207.x.y.40/29 eth4 0.0.0.0 C 0
0 Root
* 33 207.x.y.32/29 eth2 0.0.0.0 C 0
0 Root


All is working except that no traffic reaches the 40/29 subnet (the
boxes in there anyways) from the outside world)

Policies should be fine - for now I allow all traffic from anywhere to
DMZ and vice-versa.

Heres a snippet of traceroute to that IP. Strange that the 41 goes
trough but not 35(public direct IP) or 42 which actually is on the
same subnet as 41.


ml@tobias:~>traceroute 207.x.y.41
........
14 ge-0-0-0.core1.clmamdjt.uslec.net (169.130.80.77) 28.492 ms
39.970 ms 26.589 ms
15 so-0-3-0.core2.tycrva03.uslec.net (169.130.81.210) 31.253 ms
28.950 ms 39.919 ms
16 207.x.y.41 (207.x.y.41) 81.317 ms 41.475 ms 34.498 ms
........ ALL OK HERE


ml@tobias:~>traceroute 207.x.y.35
14 ge-0-0-0.core1.clmamdjt.uslec.net (169.130.80.77) 28.682 ms
27.053 ms 58.896 ms
15 so-0-3-0.core2.tycrva03.uslec.net (169.130.81.210) 27.885 ms
29.728 ms 27.960 ms
16 * * *
17 * * *
18 * * *
.........................Why the timeout?
ml@tobias:~$ ping 207.59.239.35
PING 207.x.y.35 (207.x.y.35) 56(84) bytes of data.
64 bytes from 207.x.y.35: icmp_seq=1 ttl=46 time=36.1 ms
64 bytes from 207.x.y.35: icmp_seq=2 ttl=46 time=76.4 ms

I get the same Ping for 41

Could you folks be so kind and if anybody has a clue to drop me an
email.

Much appreciated.

Lorand.