ScreenOS Firewalls (NOT SRX)
Reply
Visitor
VWAP-PT
Posts: 2
Registered: ‎08-12-2009
0

How to setup Trust to DMZ traffic no source IP translate?

I'm current using SSG320M firewall, screen OS 6.1

 

when from trust network ping to DMZ network host, all source IP have translated to my DMZ firewall interface IP

 

e.g.. from 10.2.4076 ping to 10.2.42.237

 

get session dst-ip 10.2.42.237

 

id 62103/s**,vsys 0,flag 00000010/0000/0001,policy 240,time 1, dip 2 module 0
 if 5(nspflag 800801):10.2.40.76/41984->10.2.42.237/512,1,00137230c08e,sess token 3,vlan 0,tun 0,vsd 0,route 3
 if 6(nspflag 10800804):10.2.42.254/11721<-10.2.42.237/512,1,0013725a3119,sess token 13,vlan 42,tun 0,vsd 0,route 5

 

It translated to 10.2.42.254, this is my DMZ interface IP

 

Please advise

 

 

 

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: How to setup Trust to DMZ traffic no source IP translate?

 Hello

you set your interface trust  on route mode

 

 could you please do that

 

get config | inc interface

 

and post it in this case 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Visitor
VWAP-PT
Posts: 2
Registered: ‎08-12-2009
0

Re: How to setup Trust to DMZ traffic no source IP translate?

The trust and DMZ interface all in NAT mode

 

The command <inc interface> grab too much data, which part you want?

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: How to setup Trust to DMZ traffic no source IP translate?

hi

 

if you want unset your NAT between both zone you should  set route mode on interface binded in respective zone  

 

set interface ethX route

fore more inormation please refer docuemnt Concepts & Examples ScreenOS Reference Guide Volum fondamentals chapiter 4 "interface mode" page 80

 

thanks

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: How to setup Trust to DMZ traffic no source IP translate?

Expanding on mehdi's comments ... to prevent source IP translation from the trust to either dmz or untrust, you need to enable route mode on the interface bound to trust zone.  In fact, I recommend configuring all interfaces to route mode, and if you need NAT, then do that at the policy level.  For each policy you need the IP to be NAT'd, you simply specify nat src per policy.  This gives you much more flexibility.
Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008

Re: How to setup Trust to DMZ traffic no source IP translate?

Hi Oldtimer

 

you are right i am aprove that :smileyhappy:

 

thanks  

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.