Screen OS

Setting up a SSG 20.  The wireless0/0 interface works fine when in trust zone.  However, when I change the wireless0/0 zone to a custom zone, it does not work.  I set up a policy for the custom zone.  Do I need to do something with DNS for custom zones?

when you say it doesnt work, do you mean that traffic going to internet doesnt work?

 

if so, you will need to configure natting on the policy. natting would have been done by default from trust to untrust. but since you changed to custom zone, you will need to add that. It looks something like this

 

set policy top from <custom zone> to untrust any any any nat src permit

 

 

Configuring nat fixed the problem.  I had a 5GT wireless and this wasn't a issue.  I could set up custom zones and create policies and worked fine without configuring nat.  is this something new with ScreenOS 6?  My 5GT had v5.4.

Correct, no internet access on any of the custom zones.  I am not using nat, i have configured each the interface for DHCP.  when connecting to the wireless, my device gets an IP address (192.168.2.5).  I have a any any policy setup for each zone: custom zone to untrust.  Internet access works in trust zone but as soon as i change it to a custom zone, it does not work.  No ping works.  Appears soemthing with DNS.

By default, the firewall have NATTing when you have traffic from Trust to Untrust zone,interface-based NATting.

 

I think you may want to add "nat sr" in your policy as WL mentioned.

 

If you don't need NAT provide debug output

 

set ff src-ip x dst-ip y

set ff src-ip y dst-ip x

debug flow basic

cl db

<Start traffic>

undebug all

get db str