Screen OS

Hi everyone,

I have a problem with using VIPs for outgoing traffic from different networks.

For example, let's say I have a range of VIPs and a range of internal networks:

VIPs (Public):
a) 99.99.99.11
b) 99.99.99.12
c) 99.99.99.13
...

Networks (Internal):
A) 10.10.10.0/24
B) 10.10.20.0/24
C) 10.10.30.0/24
...

Forwarding of the VIPs to different IPs in the networks works great:

a) 99.99.99.11 Port 25   --> A) 10.10.10.11
a) 99.99.99.11 Port 80   --> A) 10.10.10.12
a) 99.99.99.11 Port 8000 --> A) 10.10.10.13

b) 99.99.99.12 Port 25   --> B) 10.10.11.11
b) 99.99.99.12 Port 443  --> B) 10.10.11.120
b) 99.99.99.12 Port 8000 --> B) 10.10.11.135

c) 99.99.99.13 Port 25   --> B) 10.10.12.110
c) 99.99.99.13 Port 443  --> B) 10.10.12.125
c) 99.99.99.13 Port 8080 --> B) 10.10.12.17
...

Now the Problem:

For outbound traffic from any IP (in each different network) the public Interface IP (e.g. 99.99.99.10) is used.

But it schould work this way, that any IP in network
 - A) uses external IP a)
 - B) uses external IP b)
 - C) uses external IP c)
for outgoing traffic.

How can I assign the internal networks to the right public VIPs:

10.10.10.0/24 -> 99.99.99.11
10.10.20.0/24 -> 99.99.99.12
10.10.30.0/24 -> 99.99.99.13

Thanks in advance,

lockdown

Hi,

ScreenOS VIP's are unidirectional.  I would convert your VIP's to MIP's, which are bidirectional.  This should resolve your issue.

Hi firewall72,

as I understand it: MIP is a 1:1 connection: external IP <-> internal IP.

But

 - what about the other IPs in the internal network, ougtoing traffic?

 - how to forward different external ports from the external IP to different internal IPs in the network?

Thanks,

lockdown

Hi,

You need three DIP pools for this, each containing a single public IP address (99.99.99.11,99.99.99.12,99.99.99.13). Use them for src-NAT in the outbound policies. As far as I remember you can define each IP as a VIP and a DIP at the same time starting with ScreenOS 6.1. Otherwise you can use DIPs only and configure policy based destination NAT in the inbound policies, not using VIPs. The inbound policies should be configured as "Untrust-to-Untrust" ones. The option "Block intrazone traffic" should be enabled for the Untrust zone for this to work (this is a default for the Untrust zone).

Hi Edouard,

thanks for reply.

Unfortunately it is not possible to configure the same external IP for DIP and VIP or DIP and MIP. At least not with my current firmware: 6.2.0r8.0. That would have been the easiest and most understandable way for me, too bad.

Ater several attempts, I do not understand how to configure the scenario with policies. Could you explain that with an example?

Regards,

HP

lockdown

Hi,

This is an example:

set interface ethernet0/4 ip 99.99.99.1/24                           (Untrust zone)

... DIP definition

set interface ethernet0/4 dip 4 99.99.99.11 99.99.99.11

set interface ethernet0/4 dip 5 99.99.99.12 99.99.99.12

set interface ethernet0/4 dip 6 99.99.99.13 99.99.99.13

... Inbound policies:

set policy from "Untrust" to "Untrust"  "Any" "99.99.99.11/32" "SMTP" nat dst ip 10.10.10.11 permit

set policy from "Untrust" to "Untrust"  "Any" "99.99.99.11/32" "HTTP" nat dst ip 10.10.10.12 permit

...etc...
... Outbound policies:

set policy from "Trust" to "Untrust"  "10.10.10.0/24" "Any" "ANY" nat src dip-id 4 permit

set policy from "Trust" to "Untrust"  "10.10.20.0/24" "Any" "ANY" nat src dip-id 5 permit

set policy from "Trust" to "Untrust"  "10.10.30.0/24" "Any" "ANY" nat src dip-id 6 permit

Sure, you can use specific protocols instead of "ANY". Do not forget to select the proper dip while configuring the policies.

If you are using GUI click on the "Advanced" button to proceed to the src and dst NAT options.

Also you should use the route mode on all internal interfaces to disable interface based NAT. Interface based NAT is very unflexible. I never use this kind of NAT.

Hi,

it works very well.

Many thanks,

lockdown