Configuration Library
Configuration Library

Server published to Public IP for both Trust & Untrust Connections

[ Edited ]
‎07-09-2011 06:47 PM

Product: ScreenOS
Version: 6.0 and higher

Network Topology

Network Diagram Server Published  to Public IP for Trust Zone
Click on image to enlarge

The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.




The server publishes services to a public ip address on the firewall. The public ip address is placed int the trust zone and policy based nat is used to make the necessary address translations. The untrust to trust access also requires that proxy arp be enabled for the published address. Note that the method for proxy arp changes with version 6.3 of ScreenOS.

The trust to trust access requires that the direct lan connection between the two computers at layer two be prevented from kicking in. This is accomplished by translating the requesting computer source address to the firewall interface ip address. This forces the reply from the server local ip address to come to the firewall and not returned directly to the requesting computer. Thus the session setup for the public ip address by the local computer is maintained and the connection can be managed.

The process requires two separate policies

  1. 1.Untrust to Trust for the internet access to the server with destination nat
  2. 1.Trust to Trust for the local LAN access via the public ip address with both source and destination nat.

Zone Layout

untrust interface is ethernet0/0
trust interface is bgroup0
The public ip address is placed into the trust zone



Proxy ARP

6.2 or earlier
set arp nat-dst

set interface ethernet0/0 proxy-arp-entry

WEB (6.3 only. 6.2 only available in CLI)
Network – Interfaces
edit interface ethernet0/0
Proxy-arp menu

Address Object for public ip address into Trust Zone

set address Trust ServerPublic
set address Trust LAN

Policy—Policy Elements—Addresses—List
trust zone
trust zone


1. Untrust to Trust for the internet access to the server with destination nat


set policy name ServerUntrust from Untrust to Trust any ServerPublic HTTP dst ip permit log

Untrust to Trust
From Any to ServerPublic
Select services from list
Check log button
Advanced button
Destination translation and enter the server ip address


2. Trust to Trust for the local LAN access via the public ip address with both source and destination nat.


Enable the proxy arp for destination nat. This is a CLI only command.

set policy name ServerInternal from Trust to Trust LAN ServerPublic HTTP nat src dst ip permit log

Policies – Policy – set trust to trust – Create New
Name: ServerInternal
Source: Any
Destination: ServerPublic
select the required server services
check log button
Advanced button
Check destination translation and enter the server ip address
Check source translation and leave on the default egress interface


Attempt server access from internal computer using public address and open the policy log. Verify that both the source and destination translation are occurring as expected.

Attempt the server access from the untrust zone to the public address and verify connection in log.




ScreenOS Concepts and Examples Guide


Network Address Translation

Concepts & Examples Guide
Volume 8 Address Translation
Chapter 3 – Nat-src and Nat-dst in the same policy


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)