Screen OS

I recently decided to upgrade to an SSG5 from a dying WRT54G running dd-wrt. I figured the advanced features are worth the hassle of confiuring. Already I'm starting to think I've bitten off more than I can chew. Currently my setup looks like this:

e0/0 -> Untrust (DHCP from ISP)

e0/1-0/4 -> bgroup0 -> Trust -> (Running DHCP - 192.168.1.x)

e/05 - 0/6 -> bgroup1 -> LAN -> (Running DHCP - 192.168.2.x)

As I'm new to all this, I've been relying on the WebGUI for navigation and layout (I'm more of a visual learner).. My problem is, the built-in Trust zone will route traffic perfectly out the Untrust infterface. The 2nd bgroup however does not. Despite the ANY / ANY policies configured, I can't seem to get any traffic to pass properly back to the 2nd bgroup. I've checked everywhere in the GUI and from what I can tell the 1st and 2nd brgoups are configured exactly the same.

Things I've tried:

- Ensured both groups are set to NAT

- Ensured both groups have ANY / ANY rules set to ANY external address

I'm posting my config. Hopefully I'm missing something minor. - Thanks in advance for the help!

Attachment(s)

JuniperKid85_v1_cfg.txt   5 KB 1 version

Hi,

Welcome to the Forums.

Appears to be a NAT issue. On your LAN to Untrust policy -> Advanced -> NAT -> Enable source Translation (Use egress interface IP).

Let us know if it works.

Thanks Gokul,

That worked! -- I'm curious to know if there are any inherent differences between the second zone I created "LAN" and the builtin zone "Trust"? I noticed that the Trust to Untrust policy does not have that option set yet seems to work correctly when I connect to one of the trusted interfaces.

-Ryan

Hi Ryan,

Glad that my suggestion worked  

In general, Trust to Untrust traffic gets NAT-ed with egress interface IP by design. This does not happen for Custom zone to Untrust, even if the custom zone interface is in NAT mode.