03-15-2009 11:15 PM
The following is the scenario:
SSG320M-SH with 8-port Ethernet module.
Zones -> Untrust, Trust, DMZ, DMZ2, DMZ3
3 ISPs connected to ISP1 -> Eth0/0, ISP2 -> Eth1/6, ISP3 -> Eth1/7.
Default routes configured with Pref 10, 20 & 30 resp for ISP1, 2 & 3.
Multiple Polcies and VPNs configured, and working fine.
Now, the requirement of ISP1 is that the traffic be tagged with dot1q tag 851. Currently, the ISP1s connection is on Ethernet, connected to Cisco Router fa0/1. Fa0/0 connects to SSG320 on eth0/0. To tag the egress traffic towards ISP1, we created sub-interface on Cisco router (the traditional way) and things are working as expected, with ISP failover, VPN, incoming MIP, VIP etc. However, if we try to emulate this (i.e. the Cisco router, by creating sub-interface) on Eth0/0 of SSG, things go haywire. Internet access from Trust to Untrust works fine, but from DMZs it doesn't. POP3 traffice works only from some workstations on Trust, and not at all from the DMZ, where the Internal mail server is located. The outbound DIP IP of the firewall, shows up as that of the sub-interface, and not as that of the physical interface. However, even with the sub-interface configured on eth0/0, the ISP2's links work fine, and when traffic is routed through ISP2, there are no complaints at all. So there seem to be no problems with the poicies. So, the problem is, how do we configure sub-interface on eth0/0 of SSG320, and avoid the problems mentioned above? This is to relieve the router, since that router is required somewhere else, and the customer is not willing to buy another due to the current eco scenario. ;-) I hope I have explained things as clearly as possible.
Thanks for help in advance.
03-16-2009 02:48 AM
You should be able to use subinterfaces on the e0 interface without any problem. Two points to consider:
- You have to create the subinterface in the untrust zone.
- Natting from the DMZ zone to untrust needs to be done in the policy, doesn't come from interfacebased NAT. You can choose to NAT behind Egress interface in the policy. In this case the subint's IP will be used, or create a DIP.
If you have your own IP range (indepent from the ISPs, but they route to this range) you can create a loop backinterface in the untrust zone and make all interface and subinterface member of the loopbackgroup of this interface. Now you can create your NAT objects (DIP, MIP, VIP) on the loopbackinterface and use it in all your policies. The natting will be indepent for the outgoing interface now.
If this post doesn't help you, you could run a debug on the mallfunctioning POP3 session and post the output. It might show what's going on. It's a basic functionallity you're asking for. We can't accept this doesn't work can we ?!
03-16-2009 04:59 AM
Thanks for the response. Well, actually, I did try it the way you mention.
However, the issue is not the creation of sub-interface, but the how the routes are defined, and how the egress interface is configured and how NAT is handled. For explanation:
eth0/0 --> 202.xxx.yyy.105/29 (LAN IPs issued by the ISP)
eth0/0.1 --> 202.xxx.yyy.102/30 dot1q tag 851 (WAN IP and tag as issued by ISP)
route --> 0.0.0.0/0 through eth0/0.1 gw 202.xxx.yyy.101 (Here, if i give the outgoing interface as 0/0 instead of 0/0.1, Internet was not accessible. I suppose, tagging issues??) But when the egress interface is 0/0.1 the NATed IP seen on the outgoing traffic is .102 (as expected, but not as desired). Here everything is in trust-vr.(Now, when this setup is replaced with a Cisco router doing the VLAN tagging, the NAT IP is seen as .105 - that of eth0/0 as expected, AND as desired!)
There was a suggestion to leave the eth0/0 as unnumbered, and use .105 as a DIP IP on eth0/0.1, however, that didn't work out, as the firewall does not allow an unnumbered IP on eth0/0 (we didn't try setting it on to DHCP, but I suppose, in the absence of any DHCP server, this would have failed too??) Also, as my understanding of DIP/MIP/VIP goes, the IP used to DIP/MIP/VIP must belong to the subnet of the interface on which it is configured.
So, the issue is, how can we achieve the sub-interface doing the tagging, but the physical interface being the egress interface?? Regarding the POP3 issue: Strangely, when it was configured on without the router, random hosts on the Trust LAN were able to make outgoing POP3 sessions, and download mails, whereas rest were not able to! But we didn't try getting the debugs, since it started working fine, the moment we removed the sub-interface and configured the router for VLAN tagging.
Hope this makes things clearer. Thanks for help in advance.
03-16-2009 09:28 AM
03-16-2009 10:47 PM
Thanks for the response. Before trying your suggestion, just a small clarification required. If I move the physical int e0/0 into the null zone, can I still apply IP address & do MIP through that Interface? If not, can I use the public IPs assigned by ISP for LAN on the sub-interface?
03-17-2009 02:37 AM
Once you moved the interface to the NULL zone you can't use it at all with the exception of creating subinterfaces. If you need to connections, one tagged, one untaged, you place both the interface and it subinterface in the untrust zone and give them the addresses and MIP's VIP's you need. traffic going out through the main interface (ethernet0/0) will be untagged, Traffic going out through your sub int (ethernet0/0.1) will be tagged with the tag value you specified in the subint definition.