03-16-2009 10:17 AM
My organisation had just bought an ISG 1000 and i have no experience on these.
I have configured it up as per the examples on the disk
Everything fine from trust to untrust - policies working etc.
Cant get the untrust to trust working - i just want to get it working on a test network.
I notice on the disk that apparently you dont need to use VIP .if you have screenos 6.0
But i tried it anyway and cant get access from untrust
Is there something basic i am missing.
I have the policies set for both sides.
I havent had a course so if there is something obvious i am not doing can someone
point me in the right direction - and if i dont need vip what do i do to get it working
03-16-2009 11:04 AM
(1) Do you mean that you want to manage the ISG from the untrust interface?
Make sure that the untrust interface has the SSH or whichever manage options turned on.
EG: set int e0/0 manage ssh
Or do you want to:
Internet ---> VIP IPs ---FW (FW will translate these IPs to internal network IPs based on the VIP mapping)---> Internal IPs
You can try ref to this:
03-17-2009 02:44 AM
I think the question was how to allow transit traffic from untrust to trust. If routed just set up routing and allow in the policy. If inbound natting is needed:
Create a VIP on untrust interface. It's kind like portforwarding. Then create a policu from untrust to trust with VIP(publicIP) as destination
For bidirectionall natting (inbound and outbound) creat a MIP on untrust interface and specify host IP in it.
Policy for outbound: just allow the traffic (Note the MIP public address will be used to NAT src to !!)
Policy inbound: (untrust to trust, MIP(opublicip) as destination.
Hope this helps, together with the outside management WL describe very well. One thing to add on this: When you manage from the outside it's wise to use permitted IP's, a list of host/networks allowed to manage. Don't forget to include your inside addres to this list (:-.
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.