Screen OS

EDIT: I fat-fingered one of the octets... 😛  sarab's debug statements allowed me to see just the packets involved. My basic understanding was not the problem, it was driver-error.

Hi

I am setting up an SSG 5 and wish to create a rule that will allow a few hosts from trusted to untrusted for a management interface into my bridged DSL modem's LAN. The deny works but the allow rule for a single IP does not. What is it am I doing wrong?

trust (NAT); untrust (NAT)

My policy list between trust and untrust started with:

     set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit

This allowed internet access for all my trusted zones and all trusted zone hosts can access my DSL modem's management interface (192.168.1.254). I'm currently only using one trusted zone but will be using others.

The deny rule works and is placed before "any any any permit".

     set policy id 9 from "Trust" to "Untrust"  "Any" "192.168.1.252/30" "ANY" deny

The untrust interface definition is

     set interface "bgroup3" zone "Untrust"

     set interface bgroup3 ip 192.168.1.253/30
     set interface bgroup3 nat

The allow rule is what is not working if I have id 9 enabled. It is placed before policy id 9.

     set policy id 10 from "Trust" to "Untrust"  "172.16.0.20/32" "192.168.1.252/30" "ANY" permit

Here are the policy entries in the configuration with successful policy verify:

     set policy id 10 from "Trust" to "Untrust"  "172.16.0.20/32" "192.168.1.252/30" "ANY" permit

     set policy id 10

     exit

     set policy id 9 from "Trust" to "Untrust"  "Any" "192.168.1.252/30" "ANY" deny

     set policy id 9

     exit

     set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit

     set policy id 1

     exit

Hello,

If I understand correctly, your setup is as follows :

LAN -- (Trust) FW ( Untrust) --- Modem in bridged mode  -- ISP

In above case the PPPoE connection will be directly terminated on FW's untrust interface so

it will be assigned an IP automtically from ISP which won't be in the same subnet as the modem.

As per my understanding this is not policy issue rather you may not be able to manage the modem from LAN.

If there is a way , may be someone else can comment on this.

Regards

Sarab

No, I can access my modem's management page without any problem. I can ping both my actual ISP-provided IP as well as the LAN side of my modem's management webpage.

The problem is the policy I've created doesn't work as I expected.

Thanks

Oh is it , you mean users from LAN are able to access the Modem if that deny policy isnt there ?

But how do they do that as IP for untrust interface which is connected to modem is diffrent then modems subnet ?

Anyway , you mean the permit policy is not taking effect and access is still denied any that 'Deny' policy.

Could you please collect the following debug for the traffic which should be permitted however is getting denied

set ff src-ip x.x.x.x dst-ip y.y.y.y

set ff src-ip y.y.y.y dst-ip x.x.x.x

clear db

debug flow basic

initiate the web session for modem

undebug all

get db st

Well, this is certainly embarrassing. I fat-fingered one of the octets in my policy and while I was pasting the debug output and verifying everything, I corrected the policy and it now works as expected.

Thanks for all your help and patience.

Before I conclude this thread, I want to give a bit more information about my setup on how everything is working. My apologies for the confusion.

My modem is actually a router/modem with a 4-port switch with its WAN connection set to bridge mode. By defining two untrust zones, I'm able to connect two patch cables between the SSG to the modem's switch and I'm able to access the internet as well as the modem's management page on its LAN side.

Ahh .. thts how you were able to manage the modem... Thanks for the info or else I would have kept wondering how you managed the modem.

Anyway I am glad that the issue is fixed 🙂