Screen OS

Hi All,

 

How to used same ip for VIP and DIP ??

example, i have VIP (10.10.10.10) for  incoming service http to ip 192.168.0.1,dns to ip 192.168.0.10, pop and smtp to ip 192.168.1.10,

then i want to used for out going to untrust zone for all smtp traffic using same ip 10.10.10.10.

 

can i do that??

 

 

thanks

=ND=

Hi,

 

In the latest version of code 6.1.r3 you can use MIP and VIP on the same IP. So what you need to do is create a MIP for the SMTP, this will allow SMTP to go in and out of the 10.10.10.10 address. Then create a VIP for the http and dns as you have done.

 

I have not tried this yet as it only came out in the latest code, but give it a try and let me know.

 

Hope this helps

 

Andy

Hi Andy,

 

Thanks to reply my message.

I just download the newer OS, and i will try then let you know later.

 

 

thanks

 

ND

Hi Andy,

 

I already done used VIP and MIP with same ip and working well.

thanks for your assist.

 

rgds,

ND

Hello,

sorry for my English, it is very bad.

 

I have tried to do this on 6.1.0r4.0. But in the result i have errors.

This is my ethernet0/9 configuration (part of config file):

 

set interface "ethernet0/9" zone "Untrust"
set interface ethernet0/9 ip 1.0.0.190/28
set interface ethernet0/9 nat
set interface ethernet0/9 proxy dns
set interface ethernet0/9 ip manageable
set interface ethernet0/9 manage ping
set interface ethernet0/9 manage ssh
set interface ethernet0/9 manage ssl
set interface ethernet0/9 manage web
set interface ethernet0/9 vip 1.0.0.179
set interface ethernet0/9 vip 1.0.0.180
set interface ethernet0/9 vip 1.0.0.181
set interface ethernet0/9 vip 1.0.0.182
set interface ethernet0/9 vip 1.0.0.183
set interface ethernet0/9 vip 1.0.0.184
set interface ethernet0/9 vip 1.0.0.185
set interface ethernet0/9 vip 1.0.0.186
set interface ethernet0/9 vip 1.0.0.187
set interface ethernet0/9 vip 1.0.0.188
set interface ethernet0/9 vip 1.0.0.189
set interface ethernet0/9 vip interface-ip
set interface ethernet0/9 dip 4 1.0.0.178 1.0.0.178
set route 0.0.0.0/0 interface ethernet0/9 gateway 1.0.0.177

 So, I tied to do this:

SSG140-> set interface ethernet0/9 dip 4 1.0.0.189 1.0.0.189
One IP in range [1.0.0.189-1.0.0.189] is in use!!
###Invalid dip parameter

SSG140-> set interface ethernet0/9 vip 1.0.0.178
1.0.0.178~1.0.0.178 overlap with dip set 4
###62.113.122.178 is in use!!
Error! Cannot add  VIP (62.113.122.178)

 How can i make it work?

 

P.S. I can't use MIP, because of intricate network (ip) configuration. Outgoing IPs for different services must be different.

Because of these errors I couldn't overwrite these IPs by SNAT policy =(

Hi SparF,

 

On 6.1r3 release note, only say MIP and VIP can used same IP not for DIP. Because, MIP and VIP IPs are for incoming traffic but DIP for outgoing traffic.

Ok, thanks)

 

Can you tell me how can i implement some policies like this:

 

incoming traffic (dnat):

     Untrusted_ip: port ->  DMZ_ip: port

     1.0.0.1:53            2.0.0.1:53

     1.0.0.2:25            2.0.0.2:25

     1.0.0.3:80            2.0.0.3:80

     1.0.0.3:110           2.0.0.4:110

 

outgoing traffic (snat):

            DMZ_source_ip  destination_port -> Untrusted_source_ip

     2.0.0.1        53               -> 1.0.0.1

     2.0.0.2        25               -> 1.0.0.2

     All            80,21            -> 1.0.0.3

 

- if 2.0.0.2 or 2.0.0.1 want to connect to something using http it must use 1.0.0.3 (not 1.0.0.1 or 1.0.0.2) source ip.

 

 So, my problem is that i can't overwrite untrusted zone source ip (appointed by MIP rule) for some services for outgoing traffic.

 

PS Happy New Year!!!  😃

 

 

 

 

HI SparF,

 

incoming traffic (dnat):

     Untrusted_ip: port ->  DMZ_ip: port

     1.0.0.1:53            2.0.0.1:53

     1.0.0.2:25            2.0.0.2:25

     1.0.0.3:80            2.0.0.3:80

     1.0.0.3:110           2.0.0.4:110

 

--> what ip for untrusted interface ??? if 10.0.0.3, you can used MIP for both dns and mail service, and used VIP for http and smtp service.

 

outgoing traffic (snat):

            DMZ_source_ip  destination_port -> Untrusted_source_ip

     2.0.0.1        53               -> 1.0.0.1

     2.0.0.2        25               -> 1.0.0.2

     All            80,21            -> 1.0.0.3

 

- if 2.0.0.2 or 2.0.0.1 want to connect to something using http it must use 1.0.0.3 (not 1.0.0.1 or 1.0.0.2) source ip.

 

 --> for dns and mail automaticaly will used MIP ip ,but if your untrusted interface used 1.0.0.3, all traffic except dns and mail will used that ip. 

anyone can add more details ?

 

--> what ip for untrusted interface ??? if 10.0.0.3, you can used MIP for both dns and mail service, and used VIP for http and smtp service.
 
Yes, 1.0.0.3
 
 --> for dns and mail automaticaly will used MIP ip ,but if your untrusted interface used 1.0.0.3, all traffic except dns and mail will used that ip.  
anyone can add more details ?

Yes, but if we want (for example) to ping or send http request to something in Untrust (let it be 11.0.0.1) from 2.0.0.1 then on 11.0.0.1  we have packets from 1.0.0.1 not(!) from 1.0.0.3

I tried to do this:

set interface "ethernet0/0" zone "DMZ"
set interface "ethernet0/9" zone "Untrust"

set interface ethernet0/0 ip 2.0.0.254/24
set interface ethernet0/0 nat
set interface ethernet0/9 ip 1.0.0.3/24
set interface ethernet0/9 nat

set interface "ethernet0/9" mip 1.0.0.1 host 2.0.0.1 netmask 255.255.255.255 vr "trust-vr"

set policy id 9 from "DMZ" to "Untrust"  "Any" "Any" "FTP" nat src permit
set policy id 9
set service "HTTP"
set service "PING"
exit

It looks like policy id 9 just permits traffic from 1.0.0.1 to Untrust but doesn't make nat src as it defined in the policy.

How can I make it work? Or, may be, there are other ways to do something like "nat src exception policies for MIP hosts"?

but if we want (for example) to ping or send http request to something in Untrust (let it be 11.0.0.1) from 2.0.0.1 then on 11.0.0.1  we have packets from 1.0.0.1 not(!) from 1.0.0.3

 

--> yes, that was correct. You used MIP for host 2.0.0.1 so all traffic from that host will be  translate to 1.0.0.1

 

 

rgds,

ND

--> yes, that was correct.

 

Ok 😃

What can I do to change 1.0.0.1 to 1.0.0.3 for some traffic from host 2.0.0.1

?

So, now I have something like this:

 

 

But I want to have something like this:

 

 

What can I do?

Solution:

something like this:

set address "Untrust" "ExternalIP_1" 1.0.0.1 255.255.255.255
set address "Untrust" "ExternalIP_3" 1.0.0.3 255.255.255.255

set address "DMZ" "dns" 2.0.0.1 255.255.255.255
set address "DMZ" "web" 2.0.0.3 255.255.255.255
set address "DMZ" "pop" 2.0.0.4 255.255.255.255

set interface ethernet0/9 ip 1.0.0.3
set interface ethernet0/9 dip 8 1.0.0.1

set policy id 30 from "Untrust" to "Untrust"  "Any" "ExternalIP_1" "DNS" nat dst ip 2.0.0.1 permit
set policy id 30
exit

set policy id 31 from "Untrust" to "Untrust"  "Any" "ExternalIP_3" "HTTP" nat dst ip 2.0.0.3 permit
set policy id 31
exit

set policy id 32 from "Untrust" to "Untrust"  "Any" "ExternalIP_3" "POP" nat dst ip 2.0.0.4 permit
set policy id 32
exit

set policy id 33 from "DMZ" to "Untrust"  "dns" "Any" "DNS" nat src dip-id 8 permit
set policy id 33
exit

set policy id 34 from "DMZ" to "Untrust"  "Any" "Any" "Any" nat src permit
set policy id 34
exit

 

PS thanks to debug/undebug commands

 😃