04-19-2012 10:27 AM
Please can anyone advise how I can acheive something that is seeming very very simple, but after RTFM apparently impossible.
I have a DMZ with internet facing webservers, some http&https and some http only.
The Webserver DMZ is network 220.127.116.11/24.
There is no NAT between Untrust and DMZ zones.
i have a policy permitting:
any to SSL_Servers, permit https
any to WWW_servers permit http
The groups are populated with the IPs of the web servers.
What I want to do is simple: NAT the network 18.104.22.168/24 to network 22.214.171.124/24
Simply change the 3rd octet of the destination. How can I do this ? I'm lost.
04-19-2012 01:04 PM
A couple ways to attack this problem.
- You could do NAT-Dst Many-to-Many Mapping which makes use of address shifting: Volume8:Address Translation (pg 44) If the traffic is all inbound this should suffice otherwise you will have to create a similar NAT-Src with Address Shifting (pg 21) policy for outbound fraffic.
- Or you could use MIPs for this and then use MIP grouping in a policy (pg 79) the drawback to this is that you have to define each MIP individually.
04-20-2012 02:06 AM
Reading up on the NAT-dst, it says in bold text:
"When configuring Destination Network Address Translation (NAT-dst), do not specify
the address group entry as the destination."
So it would appear this can only every be applied to an address object:
In the example
set policy from untrust to dmz any oda6 any nat dst ip 10.2.1.0 10.2.1.254 permit
oda6 is defined as 126.96.36.199/24
This does not fit my brief as I need to control http or https access based on a subset (group) of IPs within that network.
If this is the case it would appear to be a fairly major flaw in ScreenOS !
The MIP option is a bit vague in the document.
Am I correct in thinking that the MIPS would be set on the untrust interface ? the untrust interface would have to be in NAT mode, the DMZ could be in route mode ?
I would then have to group the MIPs to apply the http/https policy.
04-20-2012 07:04 AM
An address object (found under Addresses -> List in the policy elements) is different than an address group (found under Addresses -> Groups in the policy elements).
You can define an address object as you have defined oda6 and it not be in an address group.
Based on my understanding of what you are trying to do, yes, the MIPs would be defined on the Untrusted interface since that is where inbound traffic would be coming from. The untrust interface does not need to be in NAT mode for the MIP to work you can define a MIP on any interface regardless of the mode. I personally never use NAT mode for interfaces I put them all in route mode and use MIPs and NAT-Src / NAT-Dst for address translation.
05-07-2012 04:06 AM
Many thanks for the response.
Based on my understanding and what you've said, I guess policy based NAT options are out as using an address object in the policy is not giving me the granulatity to control 80/443 groupings.
So I will give the MIP option a go, only 500 of them ! lol...