03-01-2009 04:24 AM
I am a novice, and only familiar with the WebUI. I have to redirect on an SSG5 requests incoming on the untrusted zone (ethernet 0/0) on port 3000 to a PC with IP 220.127.116.11 connected in the trusted zone (bgroup0, - 18.104.22.168/24) actually on the Ethernet 0/6.
For running the server and testing the access with a browser I'm using the same PC.
While accessing myself on my PC's trusted IP address 22.214.171.124:3000 it all works fine, but whatever I tried from forums and manuals (policies, VIP) I can't get it working if I try to make the same request on my public fix IP (on the ethernet 0/0).
Can someone explain how to do it in the WebUI?
Solved! Go to Solution.
03-01-2009 12:06 PM
03-01-2009 05:14 PM
This sounds like basic VIP. Have you tried accessing from untrust side outside your network to your PC inside? The reason I say that is if you are trying to test from your PC on trust zone to your public VIP address on untrust, then you will not be able to reach your VIP since traffic is not originating from untrust zone. So your test is not a good test. You really need to be testing from a PC on untrust side to your public IP. In that case the VIP should work.
Try testing from host on untrust side and if you have problems still then provide some config snippets.
03-02-2009 02:18 AM
03-02-2009 04:37 AM
Ok, I'll try it and inform you!
Another detail: since I'd like to limit the outer world to have access only on port 3000 I guess I have to define a "Custom service" for that and use it instead of the predefined "Any, HTTP, Telnet..." from the selection when confuguring, have I?
03-02-2009 05:04 AM
03-08-2009 03:48 AM - edited 03-08-2009 03:51 AM
It works! Yes, it is a basic VIP task, but it was just my lack of knowledge and misunderstanding of the SSG5's architecture.
With the "custom servce + vip at the untrust + policy from untrust->trust" works fine.
It was not the problem accessing my public fix IP from the same PC or any other from the trusted zone. Now this one works fine too and I asked a friend to do a query with his browser from home and it worked!
Though it works, I have still some questions "why"?
- Services: The request comes from http://xxx.xxx.xxx.xxx:3000 to my port 3000. Why source 0-65535? Doesn't it expose me more than necessary? Could it be source 3000-3000 and destination 3000-3000 to narrow the accessible port range?
- What am I now exactly doing? As I figured out, it should be something like this:
The request to the port 3000 comes into my untrusted zone on my fix public IP on Ethernet0/0.
The Policy redirects it to the VIP of my Ethernet0/0 because the custom service is the one with destination to port 3000.
Finally the VIP takes care to forward it to the IP address in the trusted zone I entered in the "Map to IP" field because it is foing to the port 3000 I entered in the field "Virtual port". Correct me if I am wrong!
Many thanks for the help!
03-08-2009 03:19 PM