02-09-2010 05:58 PM
I have the following scenario:
trust (eth0/0) 192.168.0.0/16 (private IP) , multiple PCs here
i have 2 untrust interface, each to a different ISP.
untrust (eth0/1) 18.104.22.168/24, to ISP1
untrust (eth0/2) 22.214.171.124/24, to ISP2
I created 2 default routes of equal cost, one to ISP1 and one to ISP2, so outgoing traffic (from trust to untrust) will go through both ISP1 and 2
the problem here is, I need to do some sort of source IP 'NAT' here:
- for packets destinated to A.A.A.A , source IP 192.168.X.X has to be converted to 126.96.36.199
- for packets destinated to B.B.B.B, source IP 192.168.X.X has to be converted to 245.123.4.53
(both A.A.A.A and B.B.B.B can be reached via either untrust interface eth0/1 or eth0/2)
how can this be done in the Netscreen SSG?
I tried creating a loopback interface , set DIP there, but the problem is I couldn't attach more than 1 loopback-group to both of the untrust interface.
02-10-2010 05:24 AM
for situation you should be use Policy based routing and source routing and also i don't think that good idea to cretae two default route.
02-10-2010 07:32 PM
02-11-2010 02:37 PM
On my ISG's I have about a dozen DIP groups on my Untrust interface; goups of internal servers are translated to different external DIP groups by policies.
set interface ethernet0/0 dip 21 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 22 <public.IP.start> <public.IP.end>
set interface ethernet0/0 dip 23 <public.IP.start> <public.IP.end>
set pol id xxxx from Zone10 to Untrust ServerGroupA ANY http nat src dip-id 21 permit count
set pol id xxxx from Zone10 to Untrust ServerGroupB ANY http nat src dip-id 22 permit count
set pol id xxxx from Zone10 to Untrust ServerGroupC ANY http nat src dip-id 23 permit count
That said, you should be able to create multiple rules with the same source address (or group), but different dip-ids. ...but obviously if the src/dst/service are the same, only the first match will "win". So in your case, if you have control over the service your servers are talking to, perhaps you could have the second destination listen on a different port # -- that would ensure a unique policy/rule, which would ensure that the second dip was used. (Or translate the destination port on another device at the other end, etc.)
set pol id xxxx from Zone10 to Untrust ServerGroupA ANY svc-tcp7777 nat src dip-id 21 permit count
set pol id xxxx from Zone10 to Untrust ServerGroupA ANY svc-tcp8888 nat src dip-id 22 permit count
02-11-2010 09:46 PM - edited 02-11-2010 09:47 PM
^ thanks for the above as well. it is very useful