Screen OS

Hello,

I have set up on a SSG140 a MIP on the Untrust interface.
I can now create the policy for incoming connections. This will work without problems.
For the opposite direction, I have set up an any-to-any connection.

Now I would like to create for the direction DMZ-to-Untrust policies.
Is that possible? Do I need to set up on the DMZ interface a MIP?
So far, nothing works except any-to-any.

I have configured the SSG as follows:

Untrust - Public IP / 32 - Route
DMZ - Privat IP / 32 - NAT

Untrust-Interface
- All available IP-Adresses MIP(PublicIP)-PrivatIP

Policy - Untrust to DMZ
Any to MIP + Port/Service

Policy - DMZ to Untrust
Any to Any

Please help me.

regards

Hi

MIP is bidirectional while doing NAT.

From the decription I would asssume you have created MIP for some private IP in DMZ.
Now when this private IP has to go out from DMZ to Untrust then MIP will take effect on its own. Policy should be configured to allow the specific services that you want to allow.

Please let me know if you have any further queries.

Regards
Sarab

------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

 Thanks,

first i split the services with roles Any-To-Any to see what is going through the firewall.

I created the privat addresses for outgoing traffic - i have tested MIP for privat addresses but this dont worked for me.

Nevertheless, many thanks for the hint.

Regards