03-02-2009 09:30 AM
Dear All, I have little problem regarding MIP. As MIP is in Global zone. I have three interfaces.
e1/1 trust 172.16.14.253/24
e1/2 DMZ 172.16.13.254/24
e1/3 Untrust 184.108.40.206/24
I have MIP-220.127.116.11 Host-IP-172.16.16.18 This Host IP is placed behind Trust zone and route is available in ISG. Now i writre the policy from Untrust to DMZ any to MIP(18.104.22.168) any any any permit. Now i am able to access the Host IP which is in the TRUST zone when i try to access MIP 22.214.171.124. Now problem is this that there is no policy exists from Untrust to trust for MIP, even there is no policy to access MIP from Untrust to trust but i can access the the MIP-126.96.36.199 and i can see the translation in the policy log of from untrust to DMZ. it shows the destination IP 188.8.131.52 and destination translation IP 172.16.16.18. It is working fine even if there is no policy from untrust to trust for MIP, but the policy exists from Untrust to DMZ. it means we can access the MIP if policy exists for any zone except the zone where it resides.
I just want that MIP should be accessible for particular zone if there is policy exists for that zone. if there is no policy for untrust to trust for MIP then it should not be accessible from Untrust to DMZ. Is it possible for Please explain this behaviour of MIP.
03-02-2009 01:55 PM
a MIP is bidirectional. So address translation is done in both directions. You define the MIP on the "outward facing" interface, normaly untrust. For the inbound policy you define a policy from untrust to destinationzone any MIP(IP) service permit log. For the outbound you define a "normal"permit policy. Address translation will be done in both direction now. If there's a third zone involved you can define a policy from thirdzone to unrust with the public addres as destination. When you connect to this IP the traffic will be passed through the MIP to the host.
Does this answer you question?
03-02-2009 09:59 PM
I think you didn't understand my question. Question is that if there is no policy from untrust to trust exist for MIP (IP1). and there is only one policy exist from untrust to DMZ for MIP (IP1) then why we can access the MIP whose host IP (IP1) is places in trust zone. We can also see translation in policy log from untrust to DMZ exactly same we required.
Why it is accessible from Untrust to DMZ policy while machine is reside in Trust Zone. and there is no policy from Untrust to Trust.
03-03-2009 03:20 AM
Is it possible to have an extract of your configuration?
I think you already defined a global policy where you used that MIP.
In that case your translation is done on that rule, and it will also allow your traffic
03-03-2009 04:34 AM
There is no global policy exist. Output is as under.
ISG2k02(M)-> get policy global
No global policies, Default deny.
We tried on another firewall (SSG550) same behavior. and also no global policy exist there on SSG550.
03-03-2009 04:59 AM
03-03-2009 02:32 PM
The source zone is respected of course. So just wirte the policy from the source zone to the destination where the actual hosts exists, then there isn't any problem is there?