Screen OS

Hello,

I've just updated to a SSG5 (6.3.0r13), and I have several services, which have to be accessible through the pppoe untrust interface. Works well with VIP (for the different ports) on the eth0/0 and a rule from untrust to global.

Isn't it possible to to get rid of this detour? What I want is to create one ruleset from untrust to trust. That's it.

Is this possible?

Hi,

Certainly, you can change the policy from Untrust to Trust instead of Untrust to Global. The Global zone only comes into consideration when there is no specific zone to zone policy found for the destination.

Make sure you take a backup of the config, before you make any changes.

Do let me know if the above step helps.

Regards,

Arvinder

Hi,

You can have a policy from untrust to trust, however it will still need to include all the service ports that are to be allowed.

Regards.

Hardeep

Hi,

If the destination object in the policy is a VIP or a MIP you can configure this policy as an Untrust-to-Trust, Untrust-to-Global or Untrust-to-Any-other-zone policy. It will work independend on the destination zone. The VIPs and MIPs are global objects and the policy with Global zone as it's destination will be implicitly applied. If you run a debug you will see that two policy checks are involved in this case. Besides, the destination IPs of a VIP may reside in different zones but the policy would work as, for example, an Untrust-to-Trust one. The use of a specific destination zone instead of a global one provides a better readability of the ruleset.

Okay, you all helped me! I've struggled with the Source-Nat. But now it is working.

Thank you all!