ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Wotcha
Posts: 7
Registered: ‎06-14-2011
0

Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

Please can anyone advise how I can acheive something that is seeming very very simple, but after RTFM apparently impossible.

 

I have a DMZ with internet facing webservers, some http&https and some http only.

The Webserver DMZ is network 1.2.3.0/24.

There is no NAT between Untrust and DMZ zones.

i have a policy permitting:

any to SSL_Servers, permit https

any to WWW_servers permit http


The groups are populated with the IPs of the web servers.

 

What I want to do is simple: NAT the network 1.2.3.0/24 to network 1.2.4.0/24

 

Simply change the 3rd octet of the destination. How can I do this ? I'm lost.

 

 

Super Contributor
jcollazo
Posts: 97
Registered: ‎05-19-2009
0

Re: Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

A couple ways to attack this problem.  

  1. You could do NAT-Dst Many-to-Many Mapping which makes use of address shifting: Volume8:Address Translation (pg 44)  If the traffic is all inbound this should suffice otherwise you will have to create a similar NAT-Src with Address Shifting (pg 21) policy for outbound fraffic.
  2. Or you could use MIPs for this and then use MIP grouping in a policy (pg 79) the drawback to this is that you have to define each MIP individually.
Visitor
Wotcha
Posts: 7
Registered: ‎06-14-2011
0

Re: Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

Reading up on the NAT-dst, it says in bold text:

 

"When configuring Destination Network Address Translation (NAT-dst), do not specify
the address group entry as the destination."

 

So it would appear this can only every be applied to an address object:

 

In the example

 

set policy from untrust to dmz any oda6 any nat dst ip 10.2.1.0 10.2.1.254 permit
save

 

oda6 is defined as 1.2.1.0/24

 

This does not fit my brief as I need to control http or https access based on a subset (group) of IPs within that network.

 

If this is the case it would appear to be a fairly major flaw in ScreenOS !

 

The MIP option is a bit vague in the document.

Am I correct in thinking that the MIPS would be set on the untrust interface ? the untrust interface would have to be in NAT mode, the DMZ could be in route mode ?

 

I would then have to group the MIPs to apply the http/https policy.

Super Contributor
jcollazo
Posts: 97
Registered: ‎05-19-2009
0

Re: Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

An address object (found under Addresses -> List in the policy elements) is different than an address group (found under Addresses -> Groups in the policy elements).

 

You can define an address object as you have defined oda6 and it not be in an address group.

 

Based on my understanding of what you are trying to do, yes, the MIPs would be defined on the Untrusted interface since that is where inbound traffic would be coming from.   The untrust interface does not need to be in NAT mode for the MIP to work you can define a MIP on any interface regardless of the mode.  I personally never use NAT mode for interfaces I put them all in route mode and use MIPs and NAT-Src / NAT-Dst for address translation. 

Visitor
Wotcha
Posts: 7
Registered: ‎06-14-2011
0

Re: Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

Many thanks for the response.

 

Based on my understanding and what you've said, I guess policy based NAT options are out as using an address object in the policy is not giving me the granulatity to control 80/443 groupings.

 

So I will give the MIP option a go, only 500 of them ! lol...

 

 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Group/Network based NAT on SSG 350 ScreenOS 6.2 ?

Hi,

 

This is a single MIP object:

 

set int ethx/y mip 1.2.4.0 host 1.2.3.0 netmask 255.255.255.0 [vrouter vrname]

 

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.