03-19-2010 02:43 AM
The debug yoy have pasted into the post doesn't' show anything as it is not traffic going through firewall.
As to nat you dont' have to configure DIP as long as you use the nat src in your policy it will translate the source-ip to that of the external interface.
Right now I have the problem that I cannot see the configuration and see what goes wrong.
What I would recommend is that you open a Case at JTAC. What they wil probably do is ask for the output from get tech or get you to connect to a secure metting where the can see the output from your Terminal emulation, so that they can see what is wrong.
I am convinced that as soon as you have a JTAC engineer looking at your configuration he will quickly see where the problem is.
03-19-2010 07:41 AM
So i did the dishonorable thing and did a work around. There is something with Juniper routers and DMZ's that i do not know about which is giving me the above error. Anyways...
I bound eth0/4 to bgroup1 and setup a new subnet with in it on the trust network. I then created a new policy to restrict the subnet of bgroup1 from bgroup0. Got it up and running in 1.5 minutes using the exact same settings as those used in the DMZ minus the nat-src setting.
I would still be interested in knowing what extra step is needed for the DMZ to work correctly.