05-19-2009 12:36 PM
Solved! Go to Solution.
05-19-2009 08:39 PM - edited 05-19-2009 08:42 PM
Your WAN interface is the /30. The LAN allocation they gave you can be defined either logically via a loopback, a physical network from an interface on the SSG, or a combination of both. Your ISP should be routing that /28 address to your untrust interface.
Their specification of a LAN gateway is just a specification. You can define any address outside of the broadcast or the network address as the gateway in that block. Its just best to pick either the first usable or the last.
Here are 3 different scenarios.
Use of the loopback interface to provide a holding spot for MIPs for access to your trust network.
For MIPs to your trust. Assign the LAN block to a loopback interface and create your MIPs from there.
set int loop.1 zone untrust
set int loop.1 ip 126.96.36.199/28
You may want to make the interface pingable during testing to verify routing.
set int loop.1 manage ping
set int loop.1 mip 188.8.131.52 host 10.1.1.1 netmask 255.255.255.255 vr trust-vr
To ping the interface, even though you have allowed it to be managable via ping, you will still need to create an untrust to untrust policy to allow it as well. You can go untrust to untrust any, or you can lock it down to a specific protocol.
Then create the MIP policy and you should have access.
Physical DMZ network, with publically routed LAN block.
From a DMZ, this is just assigning the LAN allocation to an interface. If your DMZ zone is assigned to another virtual router than the same vr that your untrust interface is set to, you will need a route between virtual routers.
set int e0/2 zone dmz
set int e0/2 ip 184.108.40.206/28
Then create a policy from untrust to dmz, or vice versa for access.
A combination of both.
If you want to do a bit of both, you will need to split your allocation.
So break the 220.127.116.11/28 into 18.104.22.168/29 and 22.214.171.124/29. Then use one block for the loopback and the other for the DMZ.
Hope this helps out.
05-20-2009 07:29 AM
Very helpful. Thanks for explaining all of the different options. I couldn't get out of my mind the idea that this would require 2 routers (or two vrouters), but you helped me understand more of the options.