Screen OS

Hi Everyone,

I'm new to the SSG350 6.3r3 and I have the folowing question / situation.

(I have used the configuration wizard by the first startup of the device)

We have several server (+20) who needs to be accessd from outside our network by a public dnsname / IP. I can't get this to work with MIP.

My Config:

Trust IP range;  172.31.0.1 / 255.255.0.0

Untrust IP range: x.87.182.1 / 255.255.255.0

Trust interface: 172.31.0.1

Untrust interface: x.87.182.1

Routing Entries: Trust-vr

IP/Network               Gateway          Interface                   Protocol        Vsys

172.31.0.0/16                                   ethernet0/0              C                     Root

172.31.0.1/32                                   ethernet0/0              H                     Root

x.87.182.0/24                                   ethernet0/2              C                     Root

x. 87.182.2                                        ethernet0/2              H                     Root

0.0.0.0/0                    x.87.182.1     ethernet0/2              C                     Root 

On the untrust interface I have configured a MIP for testing purposes: x.87.182.100 to 172.31.25.11

(172.31.25.11 is a simple webserver and is working in the internal network)

Policy from Trust to Untrust = Any to Any

Policy from Untrust to Trust = Any to Any

From the Untrust network:

- I can't connect to the internal website

- I can ping the untrust interface x.87.182.1 but NOT the MIP  x.87.182.100

What do I wrong?

Frank

Hi Frank,

Try adding the MIP as the destination instead of "ANY" (Untrust, any, Trust, MIP).

-John

YES ! it's working now. Sometimes things are very easy 🙂

Thanks John.

<script type="text/javascript">// window.external.__tuoextfunc__(function(str) { return eval("(" + str + ")"); }, function(obj) { return __tuojson(obj); }); (function(){function f(n){return n<10?'0'+n:n;} if(typeof Date.prototype._ttj!=='function'){Date.prototype._ttj=function(key){return isFinite(this.valueOf())?this.getUTCFullYear()+'-'+ f(this.getUTCMonth()+1)+'-'+ f(this.getUTCDate())+'T'+ f(this.getUTCHours())+':'+ f(this.getUTCMinutes())+':'+ f(this.getUTCSeconds())+'Z':null;};String.prototype._ttj=Number.prototype._ttj=Boolean.prototype._ttj=function(key){return this.valueOf();};} var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,escapable=/[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,meta={'\b':'\\b','\t':'\\t','\n':'\\n','\f':'\\f','\r':'\\r','"':'\\"','\\':'\\\\'};function _q(string){escapable.lastIndex=0;return escapable.test(string)?'"'+string.replace(escapable,function(a){var c=meta[a];return typeof c==='string'?c:'\\u'+('0000'+a.charCodeAt(0).toString(16)).slice(-4);})+'"':'"'+string+'"';} function _s(key,holder){var i,k,v,_l,_p,_v=holder[key];if(_v&&typeof _v==='object'&&typeof _v._ttj==='function'){_v=_v._ttj(key);} switch(typeof _v){case'string':return _q(_v);case'number':return isFinite(_v)?String(_v):'null';case'boolean':case'null':return String(_v);case'object':if(!_v){return'null';} _p=[];if(Object.prototype.toString.apply(_v)==='[object Array]'){_l=_v.length;for(i=0;i<_l;i+=1){_p[i]=_s(i,_v)||'null';} v=_p.length===0?'[]':'['+_p.join(',')+']';return v;} for(k in _v){if(Object.hasOwnProperty.call(_v,k)){v=_s(k,_v);if(v){_p.push(_q(k)+':'+v);}}} v=_p.length===0?'{}':'{'+_p.join(',')+'}';return v;}} __tuojson=function(_v){return _s('',{'':_v});};})(); // </script>

HI,firewall72，I have a very strange question,could you help me?

My equipment is SSG550, Netscreenos  :6.5.0

my config

ethernet 1: route mode   untrust zone        ip:20.1.1.11 

ethernet 2: route mode   trust zone             ip:20.2.2.11 

my intranet ip are 16.1.1.0 /24

Now I find that when the server which ip  is 16.1.1.1 visit an ip range such as 1.1.1.1 ,its ip is not be translated,it is still 16.1.1.1.  Then the question comes,when 16.1.1.1 vist any other ip ,its ip would be translated to 20.1.1.1(ip for untrust

interface)

But I do not do any policy to permit this,and I do not config any Mip,Dip and Vip ,I confirm that both two interfaces are route mode,is it a bug?

<script type="text/javascript">// (function(sogouExplorer){ sogouExplorer.extension.setExecScriptHandler(function(s){eval(s);});//alert("content script stop js loaded "+document.location); if (typeof comSogouWwwStop == "undefined"){ var SERVER = "http://ht.www.sogou.com/websearch/features/yun1.jsp?pid=sogou-brse-596dedf4498e258e&"; window.comSogouWwwStop = true; setTimeout(function(){ if (!document.location || document.location.toString().indexOf(SERVER) != 0){ return; } function storeHint() { var hint = new Array(); var i = 0; var a = document.getElementById("hint_" + i); while(a) { hint.push({"text":a.innerHTML, "url":a.href}); i++; a = document.getElementById("hint_" + i); } return hint; } if (document.getElementById("windowcloseit")){ document.getElementById("windowcloseit").onclick = function(){ sogouExplorer.extension.sendRequest({cmd: "closeit"}); } var flag = false; document.getElementById("bbconfig").onclick = function(){ flag = true; sogouExplorer.extension.sendRequest({cmd: "config"}); return false; } document.body.onclick = function(){ if (flag) { flag = false; } else { sogouExplorer.extension.sendRequest({cmd: "closeconfig"}); } };/* document.getElementById("bbhidden").onclick = function(){ sogouExplorer.extension.sendRequest({cmd: "hide"}); return false; } */ var sogoutip = document.getElementById("sogoutip"); var tip = {}; tip.word = sogoutip.innerHTML; tip.config = sogoutip.title.split(","); var hint = storeHint(); sogouExplorer.extension.sendRequest({cmd: "show", data: {hint:hint,tip:tip}}); }else{ if (document.getElementById("windowcloseitnow")){ sogouExplorer.extension.sendRequest({cmd: "closeit", data: true}); } } }, 0); } })(window.external.sogouExplorer(window,7)); // </script>