ScreenOS Firewalls (NOT SRX)
Reply
Contributor
loopslot
Posts: 10
Registered: ‎12-07-2009
0

traffic from untrust to untrust

Hi guys, i would like to ask about untrust to untrust routing. How am I supposed to set it ?

I have a site-to-site VPN between SSG20 (branch) and NS500(central), it is already working properly and can access all the servers on the trust interface of NS500, but one of the application needs to access a server on the untrust interface of NS500. The tunnel and untrust interface are on the same physical interface which is eth1/1. How can I set this ? I can access the untrust server from NS500 trust interface, but I can't access it from the IPsec VPN which is on the same untrust interface. I have attached a network diagram to help describe what I would like to achieve. Any suggestions are welcome.

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: traffic from untrust to untrust

Hi,

 

You should enable src-NAT in this untrust-to-untrust policy. The server knows nothing about the addresses behind SSG20. You should also check if IP address of the server is routed through the tunnel interface on SSG20.

Kind regards,
Edouard
Contributor
loopslot
Posts: 10
Registered: ‎12-07-2009
0

Re: traffic from untrust to untrust

Hello,

 

I have set MIP on the SSG20 tunnel interface so it will translate the local IPs to the IPs allowed into NS500. I also have set all 10.0.0.0/8 IP to be routed through tunnel so there shouldn't be any issue on SSG20 side.

I also tried to set untrust-untrust policy on NS500 side but it is not working and I read that intra-zone policy only works for different interface and does not support VPN tunnel ?

Could you explain about the src-NAT in policy. Do I just have to enable it in policy advanced option ?

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: traffic from untrust to untrust

Hi,

 

Yes, the source NAT for the policy should be enabled under "Advanced" option. If you select "Use interface IP", the egress interface IP will be used for the src-NAT on the packets destinated for the server. This is, in your case, the untrust interface. The response from the server will be sent back to the untrust interface, NATted to the original IP and forwarded back into the tunnel.

The intrazone policy works fine with a single interface provided that the response takes the same way as the request packet did (no assymetric routing). In you case there are two interfaces: the packet enters through the tunnel interface and leaves the FW through the untrust one.

Kind regards,
Edouard
Contributor
loopslot
Posts: 10
Registered: ‎12-07-2009
0

Re: traffic from untrust to untrust

Hello,

 

thanks for your explanation, will try this and update the result. Cheers.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.