Screen OS

Hi, 

 

I am a novice, and only familiar with the WebUI. I have to redirect on an SSG5 requests incoming on the untrusted zone (ethernet 0/0) on port 3000 to a PC with IP 22.33.44.66 connected in the trusted zone (bgroup0, - 22.33.44.55/24) actually on the Ethernet 0/6. 

For running the server and testing the access with a browser I'm using the same PC.

 

While accessing myself on my PC's trusted IP address 22.33.44.66:3000 it all works fine, but whatever I tried from forums and manuals (policies, VIP) I can't get it working if I try to make the same request on my public fix IP (on the ethernet 0/0).

Can someone explain how to do it in the WebUI?

 

Akos 

 

Which version of ScreenOS are you running?

Hi Screenie,

 

It is 6.1.0r4.0.

 

🙂 

 

Akos 

This sounds like basic VIP. Have you tried accessing from untrust side outside your network to your PC inside? The reason I say that is if you are trying to test from your PC on trust zone to your public VIP address on untrust, then you will not be able to reach your VIP since traffic is not originating from untrust zone. So your test is not a good test. You really need to be testing from a PC on untrust side to your public IP. In that case the VIP should work.

 

Try testing from host on untrust side and if you have problems still then provide some config snippets.

 

-Richard

Exactly my idea. Define the VIP and create a policy from untrust to trust invaking the VIP.

Ok, I'll try it and inform you!

 

Another detail: since I'd like to limit the outer world to have access only on port 3000 I guess I have to define a "Custom service" for that and use it instead of the predefined "Any, HTTP, Telnet..." from the selection when confuguring, have I?

 

Yes, you're right here: you have to define a custom service. It's under policy policy elements in the gui.

Hi all,

 

It works! Yes, it is a basic VIP task, but it was just my lack of knowledge and misunderstanding of the SSG5's architecture.

With the "custom servce + vip at the untrust + policy from untrust->trust" works fine.

It was not the problem accessing my public fix IP from the same PC or any other from the trusted zone. Now this one works fine too and I asked a friend to do a query with his browser from home and it worked!   

 

Though it works, I have still some questions "why"?

 

- Services: The request comes from http://xxx.xxx.xxx.xxx:3000 to my port 3000. Why source 0-65535? Doesn't it expose me more than necessary? Could it be source 3000-3000 and destination 3000-3000 to narrow the accessible port range?

 

- What am I now exactly doing? As I figured out, it should be something like this:

The request to the port 3000 comes into my untrusted zone on my fix public IP on Ethernet0/0.

The Policy redirects it to the VIP of my Ethernet0/0 because the custom service is the one with destination to port 3000.

Finally the VIP takes care to forward it to the IP address in the trusted zone I entered in the "Map to IP" field because it is foing to the port 3000 I entered in the field "Virtual port". Correct me if I am wrong!

 

Many thanks for the help! 

In a IP connection for allmost every protocol the sourceport is randomly choosen between 1024 and 65535. The destination port is "fixed"on a well known portnumber. Had it been different on one connection of a certain protocol between a source and destination would have been possible. So the services are defiened with sourceport 0 to 65535. In my opnion 1024 tot 65535 would have been better.