ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Jeannot
Posts: 2
Registered: ‎02-17-2008
0

NS5GT - outbound traffic blocked out of dmz: "close - age out"

[ Edited ]
hi,

I recently changed the configuration of my ns5gt to extended to ta advantage of the dmz zone.
unfortunately, there is no way to allow trafic from dmz to untrust, even thoufh the exact same rule applies to the trust zone (trust to untrust).
All I get is "close - age out" as a reason for the trafic to be blocked on the policy dmz->untrust. This obvsiously should have nothing to do with protocol timeouts.
Did i miss something or are there implicit rules that apply to the dmz zone?

configuration:
eth1 untrust route
eth2 trust nat
eth3 dmz nat

policies
dmz -> untrust permit any (should be narrowed, but it's about troubleshooting) -> doesn't work
trust -> untrust permit any -> ok
trust -> dmz permit any -> ok
and 2 other rules for nat port forwarding (vip::ethernet3) -> ok

Thanks.
Message Edited by Jeannot on 02-17-2008 12:56 PM
Visitor
Jeannot
Posts: 2
Registered: ‎02-17-2008
0

Re: NS5GT - outbound traffic blocked out of dmz: "close - age out"

oops, I guess it's answered in thread http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=333
set policy from dmz to untrust any any any nat src permit
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.