ScreenOS Firewalls (NOT SRX)
Posts: 16
Registered: ‎02-17-2009

ISG1000 - How do i allow untrust to trust ?

Hi All


My organisation had just bought an ISG 1000 and i have no experience on these.

I have configured it up as per the examples on the disk

Everything fine from trust to untrust - policies working etc.

Cant get the untrust to trust working - i just want to get it working on a test network.

I notice on the disk that apparently you dont need to use VIP .if you have screenos 6.0

or later.

But i tried it anyway and cant get access from untrust

to trust.

Is there something basic i am missing.

I have the policies set for both sides.

I havent had a course so if there is something obvious i am not doing can someone

point me in the right direction - and if i dont need vip what do i do to get it working


Many thanks



Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008

Re: ISG1000 - How do i allow untrust to trust ?



(1) Do you mean that you want to manage the ISG from the untrust interface?

Make sure that the untrust interface has the SSH or whichever manage options turned on.

EG: set int e0/0 manage ssh


Or do you want to:


Internet ---> VIP IPs ---FW (FW will translate these IPs to internal network IPs based on the VIP mapping)---> Internal IPs


You can try ref to this:

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Distinguished Expert
Posts: 1,111
Registered: ‎01-10-2008

Re: ISG1000 - How do i allow untrust to trust ?

I think the question was how to allow transit traffic from untrust to trust. If routed just set up routing and allow in the policy. If inbound natting is needed:


Create a VIP on untrust interface. It's kind like portforwarding. Then create a policu from untrust to trust with VIP(publicIP) as destination


For bidirectionall natting (inbound and outbound) creat a MIP on untrust interface and specify host IP in it.


Policy for outbound: just allow the traffic (Note the MIP public address will be used to NAT src to !!)

Policy inbound: (untrust to trust, MIP(opublicip) as destination.


Hope this helps, together with the outside management WL describe very well. One thing to add on this: When you manage from the outside it's wise to use permitted IP's, a list of host/networks allowed to manage. Don't forget to include your inside addres to this list (:-.

best regards,

Juniper Ambassador,

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.