Screen OS

Hello,

Does anyone know how to convert this IOS command to screenOS:

static (inside,dmz) 10.64.87.0 10.64.87.0 netmask 255.255.255.0 1000 100

I want to avoid translation between my trust to DMZ zones/policies.

Thanks,

srw

You can actually check to see if there is any translation just by looking at the session table:

get session dst-ip X.X.X.X (X is IP of some host in the DMZ)

Look for the session that has a host from the trust. 

If the session looks something like this:

 id 63963/s**,vsys 0,flag 00000010/0000/0001,policy 1,time 1, dip 2 module 0
 if 6(nspflag 800801):77.5.0.5/15937->192.19.50.129/1024,1,0010db558d96,sess token 4,vlan 0,tun 0,vsd 0,route 3
 if 0(nspflag 10800800):192.19.51.124/1254<-192.19.50.129/1024,1,000c2924b08a,sess token 6,vlan 0,tun 0,vsd 0,route 6

If you look at the src addresses, they are different indicating that nat is taking place.

If you are seeing the nat and you did not have any policy configured. Thats because interface src nat is taking place. The trust is in nat mode eg:

 NET-> get int e3 | i nat
  number 6, if_info 12336, if_index 0, mode nat

and the dmz is in route mode. To disable it you need to change trust to route mode. EG:

set int e3 mode route

Then you also need to remember to configure a policy to do the src nat for all other traffic going from trust to untrust (which gets natted by default due to the interface nat) eg:

set policy top from trust to untrust any any any nat src permit

Hi,

This definitley helped, I have set the trust interface to ROUTE (e0) and setup the policy to NAT

> get int e0 | i mode
  number 0, if_info 0, if_index 0, mode route

 > set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log

What should the DMZ (e1) mode be?

> get int e1 | i mode
  number 5, if_info 4040, if_index 0, mode nat

Still seeing  my e0 IP's being translated when they are a dst-ip:

skywave-gw1-> get session dst-ip 10.64.87.3
alloc 707/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 47357
Total 1 sessions according filtering criteria.
id 47178/s**,vsys 0,flag 00000050/0080/0021,policy 320000,time 1, dip 0 module 0
 if 3(nspflag 2002011):10.64.87.1/55228->10.64.87.3/1024,1,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0
 if 0(nspflag 800600):10.64.87.1/55228<-10.64.87.3/1024,1,000e0c641862,sess token 3,vlan 0,tun 0,vsd 0,route 1
Total 1 sessions shown

Many thanks,

srw

If you want the DMZ traffic to use interface based nat when going from DMZ to Untrust then you need to leave the DMZ in nat mode.

In general,  I feel you have more flexibility if you set the interface to route mode and use policies to do the natting.

 Looking at the session:

id 47178/s**,vsys 0,flag 00000050/0080/0021,policy 320000,time 1, dip 0 module 0
 if 3(nspflag 2002011):10.64.87.1/55228->10.64.87.3/1024,1,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0
 if 0(nspflag 800600):10.64.87.1/55228<-10.64.87.3/1024,1,000e0c641862,sess token 3,vlan 0,tun

The IPs are not getting natted.. Am I missing something?

Actually yes you are correct, everything is working properly with DMZ in nat mode.

Many thanks!