Screen OS

I am using an SSG5 with firmware ver. 6.1.0r2.0.
I have 2 Trusted interfaces (Lan1-192.168.1.0/24 - Lan2-192.168.4.0/24) and 2 Untrusted interfaces(both PPPoE with adsl routers).
In my configuration I use 1 VR (trusted-vr).What I want to do is have each Trust subnet use a different Untrust interface for Internet access(using source routing).I have created 4 new Zones (Lan1-Lan2 / ISP1 - ISP2) and the proper policies (From Lan1 --> ISP1 [Any/Any]....etc).Using that configuration I dont have Internet access(Both Untrust interfaces are connected-PPPoe).Only when I use the preconfigured Zones (Trust and Untrust) I have Internet access. I am really confused about the Zones configuration.Do I have to use the preconfigured zones (trust and Untrust) or  customs also work ? Do I have to use the same Zone for both my subnets (I guess no)Can someone guide me with this kind of configuration.

Thank you 

The issue is likely with the NAT setup.  The preconfigured zones have interface NAT turned on in a legacy mode.  For your configuration you would use policy NAT.

On the policy from lan1 to isp1  and lan2 to isp2 select advanced options and check off the box for source NAT.

Or add the "nat src" to your policy command on the CLI.

Thank you very much for your answer.Policy nat did the job. I have one more question.With that kind of setup (2 Lan - 2 Wan - with source routing for separating traffic ) is there a way to have failover between the 2 wan links ?

Thank you

The combination of both failover and load balancing is a little more complicated.

I think you best bet in that case would be to put your two internet services into the same zone.

Then use Policy based Routing to send the internet traffic for each LAN to the correct interface.

When the policy route is not available it will then use the alternate connection.

See the Concepts and examples guide
Volume 7: Routing
Policy Based Routing
Page 138

Thank you.For the time i will stick with that configuration (untill I get more familiar with ScreenOS)

Today I tried to communicate from Lan1 to Lan2.I  have ceated a policy (Lan1 -> Lan2 /Any-Any) but it seems its using the Isp1 path to reach tthe second subnet (although there is a route to my second subnet).I dont know if policy nat is responsible for that or maybe source routing.

On the LAN1 to LAN2 policy you will NOT use the source NAT option.  They each have unique addresses to connect with each other

Also these policies are in ONE direction only.  The policy created will allow a computer on LAN1 to initiate a connection to LAN2 but not the reverse.  You need a second policy from LAN2 to LAN1 if the traffic starts in LAN2.

Thank you for your answer, but source Nat is disabled in lan1 to lan2 policies and I also use policies for both directions.I noticed that when I disable source routing the communication between my trusted interfaces  is OK, but then I have problems with my Internet access...

What are you using to see the path?

I have the same setup here in my office and the two internal lans seem to communicate directly when I trace route between them.

I use Windows traceroute.From Lan1 I see timeout after reaching the Lan1 router interface, but from Lan2 it tries to use Isp2 router interface.

If it is not on already, add logging to the lan1-lan2 policies.

Then see what appears in the log for the transaction.

The windows firewall is off on the target of the ping right?

When trying to reach Lan1 from Lan2 it uses the policy Lan2 -> Isp2 ... I am really stack. I am attaching my config file in case you want to take a look.Anyway thank you very much for your help.

My config file attached

Attachment(s)

_cfg.txt   7 KB 1 version

Well I did a reset in the device, so to start from the beggining the configuration.Exactly the same problem.No communication between Lan1 and Lan2.When disabling source routing communication between Lans is ok but no Internet access

I think you issue is that on the "Isogeio-Lan" you have the interface in nat mode instead of route mode.

set interface ethernet0/4 nat

Change this to

set interface ethernet0/4 route

Interface nat is a legacy compatibility mode that is an alternative to using policy based nat.  You have your dual lan setup using policy nat so you don't need this.  In addition, if you were using interface nat it would have to be on the untrust interface to the internet not the lan interface.

I have both Trust interfaces (Petros-Lan and Isogeio-Lan) in nat mode. So I will change both of them and let you know.

Thank you

I changed both Trust interfaces to route mode but nothing changed.I also changed the Route Lookup preference and put first Destination routing and then Source routing.The result was that from Lan2 I had access both to the other trust interface and to Internet, but from Lan1 I had only to "Isogeio-Lan".I think ,that because in my Destination routing table Isp2 comes before Isp1 thats why Lan1 can't access the Internet (in conjuction with source routing).

Attachment(s)

_cfg.txt   6 KB 1 version

I don't think you can do this using the source based routing.  The issue is that source routes are read first and so all of the traffic from your LAN1/LAN2 are sent to the ISP1/ISP2 regardless of any other destination routes that are in the system, even if they are directly connected like this.

I believe you will need to:

• remove the source routes
• Create two default routes of the same metric for the two ISP connections
• Use policy based routing to direct the internet traffic from each LAN to their respective ISP
• Then the connected destination routes will work as expected for the LAN to LAN traffic

That is unless someone else has a simplier solution.