Server published to Public IP for both Trust & Untrust Connections
[ Edited ]
Product: ScreenOS Version: 6.0 and higher
Click on image to enlarge
The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.
The server publishes services to a public ip address on the firewall. The public ip address is placed int the trust zone and policy based nat is used to make the necessary address translations. The untrust to trust access also requires that proxy arp be enabled for the published address. Note that the method for proxy arp changes with version 6.3 of ScreenOS.
The trust to trust access requires that the direct lan connection between the two computers at layer two be prevented from kicking in. This is accomplished by translating the requesting computer source address to the firewall interface ip address. This forces the reply from the server local ip address to come to the firewall and not returned directly to the requesting computer. Thus the session setup for the public ip address by the local computer is maintained and the connection can be managed.
The process requires two separate policies
1.Untrust to Trust for the internet access to the server with destination nat
1.Trust to Trust for the local LAN access via the public ip address with both source and destination nat.
untrust interface is ethernet0/0 trust interface is bgroup0 The public ip address is placed into the trust zone
CLI 6.2 or earlier set arp nat-dst
6.3 set interface ethernet0/0 proxy-arp-entry 126.96.36.199 188.8.131.52
WEB (6.3 only. 6.2 only available in CLI) Network – Interfaces edit interface ethernet0/0 Proxy-arp menu add 184.108.40.206
Address Object for public ip address into Trust Zone
CLI set address Trust ServerPublic 220.127.116.11 255.255.255.255 set address Trust LAN 10.0.2.0 255.255.255.0
WEB Policy—Policy Elements—Addresses—List New trust zone ServerPublic 18.104.22.168/32 New trust zone LAN 10.0.2.0/24
1. Untrust to Trust for the internet access to the server with destination nat
CLI set policy name ServerUntrust from Untrust to Trust any ServerPublic HTTP dst ip 10.0.2.2 permit log
WEB Policy—Policies Untrust to Trust New From Any to ServerPublic Select services from list Permit Check log button Advanced button Destination translation and enter the server ip address 10.0.2.2
2. Trust to Trust for the local LAN access via the public ip address with both source and destination nat.
Enable the proxy arp for destination nat. This is a CLI only command.
CLI set policy name ServerInternal from Trust to Trust LAN ServerPublic HTTP nat src dst ip 10.0.2.2 permit log
WEB Policies – Policy – set trust to trust – Create New Name: ServerInternal Source: Any Destination: ServerPublic select the required server services permit check log button Advanced button Check destination translation and enter the server ip address 10.0.2.2 Check source translation and leave on the default egress interface
Attempt server access from internal computer using public address and open the policy log. Verify that both the source and destination translation are occurring as expected.
Attempt the server access from the untrust zone to the public address and verify connection in log.