Screen OS

Hello,

Here is my problem, I would like to do a simple translation of my public IP 2.2.2.2/32 on port 443 to an internal server 172.16.1.1.

But the deal is, my new public IP is not on the same network as my public interface :

- New IP : 2.2.2.2

- WAN Interface IP : 1.1.1.1/29

The IP is routed on the untrust interface by the internet provider. 

I've tried to use the nat dest through a policy and the creation of a MIP and it did not work.

I cannot create a VIP on the interface because it is not part of the same network.

Does anyone have a clue of what I should do ? See attachment for a quick draw

Running on ScreenOS 6.2 - SSG 140

Focusing on dst-NAT as it seems to make the most sense for what you want to do, do you have a route that points the public NAT IP (2.2.2.2) to the inside, or trust part of your nework?  I think that is needed to trigger a policy lookup that will find your dst-NAT policy.

So assuming interface e1 is your Trust zone, create a dummy route like:

set route 2.2.2.2/32 int e1

So when traffic comes into the Untrust interface destined for 2.2.2.2, routing will say it is destined for the Trust interface so Untrust->Trust policies will be checked, and there you will have your dst-NAT policy, something like:

set policy from Untrust to Trust any 2.2.2.2/32 443 nat dst ip 172.16.1.1 port 443 permit

Hi,

Thanks, it's working now.

I was missing that dummy route : set route 2.2.2.2/32 int e1