02-17-2008 12:55 PM - edited 02-17-2008 12:56 PM
I recently changed the configuration of my ns5gt to extended to ta advantage of the dmz zone.
unfortunately, there is no way to allow trafic from dmz to untrust, even thoufh the exact same rule applies to the trust zone (trust to untrust).
All I get is "close - age out" as a reason for the trafic to be blocked on the policy dmz->untrust. This obvsiously should have nothing to do with protocol timeouts.
Did i miss something or are there implicit rules that apply to the dmz zone?
eth1 untrust route
eth2 trust nat
eth3 dmz nat
dmz -> untrust permit any (should be narrowed, but it's about troubleshooting) -> doesn't work
trust -> untrust permit any -> ok
trust -> dmz permit any -> ok
and 2 other rules for nat port forwarding (vip::ethernet3) -> ok
02-18-2008 05:01 AM
set policy from dmz to untrust any any any nat src permit