ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
VWAP-PT
Visitor
VWAP-PT
Posts: 2
Registered: ‎08-12-2009
0

How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 01:03 AM

I'm current using SSG320M firewall, screen OS 6.1

 

when from trust network ping to DMZ network host, all source IP have translated to my DMZ firewall interface IP

 

e.g.. from 10.2.4076 ping to 10.2.42.237

 

get session dst-ip 10.2.42.237

 

id 62103/s**,vsys 0,flag 00000010/0000/0001,policy 240,time 1, dip 2 module 0
 if 5(nspflag 800801):10.2.40.76/41984->10.2.42.237/512,1,00137230c08e,sess token 3,vlan 0,tun 0,vsd 0,route 3
 if 6(nspflag 10800804):10.2.42.254/11721<-10.2.42.237/512,1,0013725a3119,sess token 13,vlan 42,tun 0,vsd 0,route 5

 

It translated to 10.2.42.254, this is my DMZ interface IP

 

Please advise

 

 

 

Message 1 of 6 (11,281 Views)
 
Reply
Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 02:03 AM

 Hello

you set your interface trust  on route mode

 

 could you please do that

 

get config | inc interface

 

and post it in this case 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Message 2 of 6 (11,278 Views)
 
Reply
VWAP-PT
Visitor
VWAP-PT
Posts: 2
Registered: ‎08-12-2009
0

Re: How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 02:57 AM

The trust and DMZ interface all in NAT mode

 

The command <inc interface> grab too much data, which part you want?

Message 3 of 6 (11,272 Views)
 
Reply
Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 03:06 AM

hi

 

if you want unset your NAT between both zone you should  set route mode on interface binded in respective zone  

 

set interface ethX route

fore more inormation please refer docuemnt Concepts & Examples ScreenOS Reference Guide Volum fondamentals chapiter 4 "interface mode" page 80

 

thanks

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Message 4 of 6 (11,269 Views)
 
Reply
Super Contributor
Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 08:49 AM

Expanding on mehdi's comments ... to prevent source IP translation from the trust to either dmz or untrust, you need to enable route mode on the interface bound to trust zone.  In fact, I recommend configuring all interfaces to route mode, and if you need NAT, then do that at the policy level.  For each policy you need the IP to be NAT'd, you simply specify nat src per policy.  This gives you much more flexibility.
Message 5 of 6 (11,252 Views)
 
Reply
Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008

Re: How to setup Trust to DMZ traffic no source IP translate?

Options

‎08-12-2009 09:03 AM

Hi Oldtimer

 

you are right i am aprove that :smileyhappy:

 

thanks  

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Message 6 of 6 (11,249 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.