Screen OS

Need a little help.  I have an SSG320 with 2 zones, trust and untrust, and a site-to-site VPN.  I added a 3rd zone named PCI off of int 0/1.  I also added a VR PCI-VR.  I can ping machines in the PCI zone form any machine on any interface, but from the PCI zone I can only get to machines on the VPN or in the PCI zone, no other local machines that are off of 1 of the other interfaces..  I have a route to the subnets on eth 0/0, but it doesn't look like the PCI machines are hitting their def gw which is int 0/1 when I tracert to any address other than a PCI address.  It's probably something very simple but I don't see it. 

Hi davejr ,

As i understood , You cannot ping some subnets ( not directly connected to the firewall ) from your new PCI Zone which is at your new virtual router PCI-VR

                                                1.1.1.X (e0/0)                                        (e0/1) 2.2.2.X

Subnet1....layer3 Router.............................PCI-VR............Trust-VR.........................layer3 Router........Subnet2

For  Subnet1 to be able to ping Subnet2 , you need 2 routes + 1 policy :

Route on PCI-VR   :

set vrouter "PCI-vr"

set route Subnet2/24 vrouter "trust-vr"  ( if you want to reach Subnet2 your next hop is Trust-VR)

Route on Trsut-VR:

set vrouter "trust-vr"

set route Subnet2/24 interface ethernet0/1 gateway 2.2.2.2   ( if you want to reach Subnet2 your next hop is e0/1 )

For  Subnet2 to be able to ping Subnet1 , you need 2 routes + 1 policy :

Route on Trsut-VR:

set vrouter "trust-vr"

set route Subnet1/24 vrouter "PCI-vr"  ( if you want to reach Subnet1 your next hop is PCI-VR)

Route on PCI-VR:

set vrouter "PCI-vr"

set route Subnet1/24 interface ethernet0/0 gateway 1.1.1.1   ( if you want to reach Subnet1 your next hop is e0/0 )

If this still could not help you , please post your configuration + specifying from which IP you are not able to ping which ip

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

On the first layer3 router you should put route for Subnet2 pointing to the firewall as next hop

On the second layer3 router you should put route for Subnet1  pointing to the firewall as next hop

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

I can already get to the PCI network from all other zones.  It's just getting to other zones from the PCI network.  Here's my config.

unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter name "PCI-Vr" id 1025
set vrouter "PCI-Vr"
unset auto-route-export
set preference nhrp 100
set preference ospf-e2 254
exit
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "PCI"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "PCI" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "PCI"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "tunnel.2" zone "Trust"
set interface "tunnel.3" zone "Untrust"
set interface "tunnel.4" zone "Trust"
set interface "tunnel.5" zone "Untrust"
set interface ethernet0/0 ip 10.1.2.10/24
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 10.1.4.10/24
set interface ethernet0/1 route
set interface ethernet0/2 ip 64.191.221.251/24
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface tunnel.2 ip unnumbered interface ethernet0/2
set interface tunnel.3 ip unnumbered interface ethernet0/2
set interface tunnel.4 ip unnumbered interface ethernet0/2
set interface tunnel.5 ip unnumbered interface ethernet0/2
set interface ethernet0/2 gateway 64.191.221.1
set interface tunnel.1 mtu 1500
set interface tunnel.2 mtu 1500
set interface tunnel.4 mtu 1500
set interface tunnel.5 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "PCI-Vr"
exit
set url protocol websense
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.20.0.0/16 interface null preference 20 metric 10
set route 10.80.0.0/16 interface null preference 20 metric 10
set route 10.90.0.0/16 interface null preference 20 metric 10
set route 10.0.0.0/8 interface ethernet0/0 gateway 10.1.2.1
set route 161.170.140.10/32 interface ethernet0/2 gateway 64.191.221.28 preference 20
set route 10.21.0.0/16 interface null preference 20 metric 10
set route 10.22.0.0/16 interface null preference 20 metric 10
set route 192.168.0.0/24 interface ethernet0/0 gateway 10.1.2.1 preference 20
set route 1.0.0.0/8 interface ethernet0/0 gateway 10.1.2.1
set route 10.21.0.0/16 interface tunnel.1 preference 5
set route 10.1.3.0/24 interface tunnel.1 preference 5
set route 10.20.0.0/16 interface tunnel.1 preference 5
set route 10.22.0.0/16 interface tunnel.1 preference 5
set route 10.80.0.0/16 interface tunnel.1 preference 5
set route 10.90.0.0/16 interface tunnel.1 preference 5
set route 172.20.156.0/23 interface tunnel.1 preference 5
set route 10.20.0.0/16 interface tunnel.2 preference 10
set route 10.21.0.0/16 interface tunnel.2 preference 10
set route 10.22.0.0/16 interface tunnel.2 preference 10
set route 10.80.0.0/16 interface tunnel.2 preference 10
set route 10.90.0.0/16 interface tunnel.2 preference 10
set route 10.1.3.0/24 interface tunnel.2 preference 10
set route 172.20.156.0/23 interface tunnel.2 preference 10
set route 10.1.3.0/24 interface null preference 20 metric 10
set route 10.1.255.0/24 interface tunnel.1 preference 5
set route 10.1.255.0/24 interface tunnel.2 preference 10
exit
set vrouter "PCI-Vr"
set route 10.0.0.0/8 interface ethernet0/0
set route 10.0.0.0/8 vrouter "trust-vr" preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "PCI-Vr"
exit

Try adding the below  + required policies from PCI zone to other zones  :

set vrouter "PCI-Vr"
set route 0.0.0.0/0 vrouter "trust-vr" preference 20

save

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

Thanks for helping with this.  I tried that, but no luck.  I've tried to simplify my testing.  I have 10.70/16 off of eth 0/0, trust-vr, and 10.1.4/24 off of eth0/1, PCI-vr.  I can get to 10.1.4.x from 10.70.x.x  but can not get to 10.70.x.x from 10.1.4.x.  I have plolicies allowing any/any to/from both zones.  Below are my routes.

The firewall automatically adds the dest route 10.1.4.0/16 via eth0/1.

 What I've added.

set vrouter "PCI-Vr"
set route 10.70.0.0/16 interface ethernet0/0
set route 10.70.0.0/16 vrouter "trust-vr" preference 20 metric 1

Dave

I figured it out.  Your suggestions were right on.  I had fat-fingered the rules.  Thanks for your help.