Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
Expand all | Collapse all

Access from Trust to MIP - is it possible?

  • 1.  Access from Trust to MIP - is it possible?

    Posted 08-29-2008 02:20

    Hi All,

     

    SSG-140, ScreenOS 6

     

    I have couple of IPs from trust mapped with corresponded IPs from DMZ range by MIP. Is it possible to access to Mapped IP from Trust zone?

    For example: Mapped IP:a.b.c.10, Host IP:10.41.3.10, VRouter:trust-vr

    Ping from 10.41.3.1 to 10.41.3.10 is ok

    Ping from 10.41.3.1 to a.b.c.10 - host unreachable

     

    Thank you in advance!

     

     



  • 2.  RE: Access from Trust to MIP - is it possible?

    Posted 08-29-2008 02:48

    Hi

     

    u need to create policy from trust to untrust (i am assuming u have defined MIP on untrust interface)

     

    Thanks 



  • 3.  RE: Access from Trust to MIP - is it possible?

    Posted 08-29-2008 02:59

    Hi,

     

    I have policy from trust any to untrust any service any - nevertheless it is not work... 



  • 4.  RE: Access from Trust to MIP - is it possible?

    Posted 08-29-2008 03:46

    Hi,

     

    Can you do a debug flow basic to see what is happening to the traffic. See my post at the top of the firewall topic on how to do a debug.

     

    Post the result here, that way we can see where the packet is failing.

     

    Regards

     

    Andy



  • 5.  RE: Access from Trust to MIP - is it possible?

    Posted 08-29-2008 04:57

    Hi Andy,

     

    First of all thank you for suggestion: by using debug I've found the reason of the problem. I had not static route to destination MIP at untrust interface. I've added route and have got access 🙂

    Nevertheless, please take a look at the debug - is I'm right? (I have changed public IPs)

     

     

    ****** 928508.0: <Trust/bgroup0/0> packet received [60]****** ipid = 1510(05e6), @0d595114 packet passed sanity check. bgroup0/0:10.41.3.41/49421->213.133.107.190/1280,1(8/0)<Root> no session found flow_first_sanity_check: in <bgroup0/0>, out <N/A> chose interface bgroup0/0 as incoming nat if. flow_first_routing: in <bgroup0/0>, out <N/A> search route to (bgroup0/0, 10.41.3.41->213.133.107.190) in vr trust-vr for vsd-0/flag-0/ifp-null [ Dest] 5.route 213.133.107.190->213.133.107.190, to ethernet0/1 routed (x_dst_ip 213.133.107.190) from bgroup0/0 (bgroup0/0 in 0) to ethernet0/1 policy search from zone 2-> zone 3 policy_flow_search policy search nat_crt from zone 2-> zone 3 RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 213.133.107.190, port 34638, proto 1) No SW RPC rule match, search HW rule Permitted by policy 4 dip id = 2, 10.41.3.41/49421->213.133.107.145/17739 choose interface ethernet0/1 as outgoing phy if no loop on ifp ethernet0/1. session application type 0, name None, nas_id 0, timeout 60sec service lookup identified service 0. flow_first_final_check: in <bgroup0/0>, out <ethernet0/1> existing vector list 201-5036e7c. Session (id:44136) created for first pak 201 flow_first_install_session======> route to 213.133.107.190 wait for arp rsp for 213.133.107.190 ifp2 ethernet0/1, out_ifp ethernet0/1, flag 10000800, tunnel ffffffff, rc 0 outgoing wing prepared, not ready handle cleartext reverse route search route to (ethernet0/1, 213.133.107.190->10.41.3.41) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0/0 [ Dest] 33.route 10.41.3.41->10.41.3.41, to bgroup0/0 route to 10.41.3.41 arp entry found for 10.41.3.41 ifp2 bgroup0/0, out_ifp bgroup0/0, flag 00800801, tunnel ffffffff, rc 1

     

    Message Edited by Dmitry on 08-29-2008 04:59 AM


  • 6.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 05:12

    Hello Dmitry

     

    From the debug it seems like the route for the MIP IP has been given poiniting to the DMZ interface. Therefore after the route lookup the policy looup is from trust to DMZ. The debug being incomplete does not show the NAT happening nor the packet being successfully sent out.

     

    If I am not wrong, in such cases the packet does go out of the untrust using the default route (if MIP is not in connected subnet) and comes back on the untrust doing an untrust to DMZ lookup. To avoid relying on the upstream device to send the packet back, it is best to prevent the firewall for doing a loopback session processing. For this We would need to do a DST-NAT for the MIP IP from Turst to DMZ (this in no way would affect the MIP access from the untrust).

     

    Best Regards,

     

    Vikas



  • 7.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 14:54

    Hello Vikas,

     

    You are right, when I've added static route the packets really goes out of the untrust to provider equipment and next comes back into untrust interface.

    Now I've added the policy dst nat MIP to host address (policy 38 in debug log) but the packets are droping...

    What is the reason?

    Here is debug log:

    SSG140-> get db str ****** 1141772.0: <Trust/bgroup0/0> packet received [60]****** ipid = 17630(44de), @0d555914 packet passed sanity check. bgroup0/0:10.41.3.62/30976->213.133.107.190/1280,1(8/0)<Root> no session found flow_first_sanity_check: in <bgroup0/0>, out <N/A> chose interface bgroup0/0 as incoming nat if. flow_first_routing: in <bgroup0/0>, out <N/A> search route to (bgroup0/0, 10.41.3.62->213.133.107.190) in vr trust-vr for vsd-0/flag-0/ifp-null [ Dest] 5.route 213.133.107.190->213.133.107.190, to ethernet0/1 routed (x_dst_ip 213.133.107.190) from bgroup0/0 (bgroup0/0 in 0) to ethernet0/1 policy search from zone 2-> zone 3 policy_flow_search policy search nat_crt from zone 2-> zone 3 RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 213.133.107.190, port 53083, proto 1) No SW RPC rule match, search HW rule Permitted by policy 38 DST xlate: 213.133.107.190(1280) to 10.41.3.14(1280) search route to (bgroup0/0, 10.41.3.62->10.41.3.14) in vr trust-vr for vsd-0/flag-0/ifp-null [ Dest] 33.route 10.41.3.14->10.41.3.14, to bgroup0/0 routed (10.41.3.14) from bgroup0/0 (bgroup0/0 in 0) to ethernet0/1 packet dropped, routed to different zone

    Dmitry

     

    Message Edited by Dmitry on 08-31-2008 03:03 PM


  • 8.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 15:21

    Hi,

     

    Can you post you config.

     

    Regards

     

    Andy



  • 9.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 15:46

    Hi, here is it:

     

    set clock ntp set clock timezone 3 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export set preference ebgp 250 set preference ibgp 40 exit set service "Notes" protocol tcp src-port 0-65535 dst-port 1352-1352 set service "ABN AMRO" protocol tcp src-port 0-65535 dst-port 9991-9991 set service "ICA" protocol tcp src-port 0-65535 dst-port 1494-1494 set service "ICA Browser" protocol udp src-port 0-65535 dst-port 1604-1604 set service "eMule" protocol tcp src-port 0-65535 dst-port 4662-4662 set service "eMule" + tcp src-port 0-65535 dst-port 4711-4711 set service "eMule" + udp src-port 0-65535 dst-port 4672-4672 set service "MDaemonWC" protocol tcp src-port 0-65535 dst-port 3000-3000 set service "FWAnalyzer" protocol tcp src-port 0-65535 dst-port 8500-8500 set service "ESP" protocol 50 src-port 0-65535 dst-port 0-65535 unset alg sip enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set admin name "****" set admin password "****" set admin user "****" password "****" privilege "read-only" set admin http redirect set admin mail alert set admin mail server-name "****" set admin mail mail-addr1 "***@***" set admin auth timeout 0 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" block set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst unset zone "Untrust" screen tear-drop unset zone "Untrust" screen syn-flood unset zone "Untrust" screen ping-death unset zone "Untrust" screen ip-filter-src unset zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set zone "DMZ" screen icmp-flood set zone "DMZ" screen udp-flood set zone "DMZ" screen winnuke set zone "DMZ" screen port-scan set zone "DMZ" screen syn-flood set zone "DMZ" screen ip-spoofing set zone "DMZ" screen ip-filter-src set zone "DMZ" screen syn-frag set zone "DMZ" screen tcp-no-flag set zone "DMZ" screen unknown-protocol set zone "DMZ" screen ip-bad-option set zone "DMZ" screen ip-record-route set zone "DMZ" screen ip-timestamp-opt set zone "DMZ" screen ip-security-opt set zone "DMZ" screen ip-loose-src-route set zone "DMZ" screen ip-strict-src-route set zone "DMZ" screen ip-stream-opt set zone "DMZ" screen syn-fin set zone "DMZ" screen fin-no-ack set zone "DMZ" screen ip-spoofing drop-no-rpf-route set interface "ethernet0/0" zone "Null" set interface "ethernet0/1" zone "DMZ" set interface "ethernet0/2" zone "Untrust" set interface "bgroup0/0" zone "Trust" set interface bgroup0/0 port ethernet0/0 set interface bgroup0/0 port ethernet0/3 unset interface vlan1 ip set interface ethernet0/1 ip 213.133.107.145/28 set interface ethernet0/1 route set interface ethernet0/1 ip 213.133.107.160 255.255.255.224 secondary set interface ethernet0/2 ip 213.133.107.134/28 set interface ethernet0/2 route set interface bgroup0/0 ip 10.41.3.1/24 set interface bgroup0/0 nat set interface ethernet0/2 gateway 213.133.107.129 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface bgroup0/0 manage-ip 10.41.3.12 set interface ethernet0/1 ip manageable set interface ethernet0/2 ip manageable set interface bgroup0/0 ip manageable set interface ethernet0/1 manage telnet set interface ethernet0/1 manage snmp set interface ethernet0/1 manage ssl set interface ethernet0/1 manage web set interface ethernet0/2 manage ping set interface ethernet0/2 manage telnet set interface ethernet0/2 manage snmp set interface ethernet0/2 manage ssl set interface ethernet0/2 manage web set interface "ethernet0/2" mip 213.133.107.162 host 10.41.3.8 netmask 255.255.255.255 vr "trust-vr" set interface "ethernet0/2" mip 213.133.107.173 host 10.41.3.9 netmask 255.255.255.255 vr "trust-vr" set interface "ethernet0/2" mip 213.133.107.174 host 10.41.3.24 netmask 255.255.255.255 vr "trust-vr" set interface "ethernet0/2" mip 213.133.107.190 host 10.41.3.14 netmask 255.255.255.255 vr "trust-vr" set interface bgroup0/0 ntp-server set flow tcp-mss unset flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set console page 25 set domain sgs.ru set pki authority default scep mode "auto" set pki x509 default cert-path partial set dns host dns1 10.41.3.14 src-interface bgroup0/0 set dns host dns2 0.0.0.0 set dns host dns3 0.0.0.0 set dns host schedule 06:28 set address "Trust" "MO-LAN-IP-001" 10.41.3.1 255.255.255.255 set address "Trust" "MO-LAN-IP-002" 10.41.3.2 255.255.255.255 . . set address "Trust" "MO-LAN-IP-253" 10.41.3.253 255.255.255.255 set address "Trust" "MO-LAN-IP-254" 10.41.3.254 255.255.255.255 set address "Untrust" "213.133.107.134/32" 213.133.107.134 255.255.255.255 set address "Untrust" "213.133.107.139/32" 213.133.107.139 255.255.255.255 set address "Untrust" "MO login.icq.com" login.icq.com set address "DMZ" "213.133.107.190/32" 213.133.107.190 255.255.255.255 set address "DMZ" "MO DMZ Interface" 213.133.107.145 255.255.255.255 set address "DMZ" "MO.163 RUIT01" 213.133.107.163 255.255.255.255 set address "DMZ" "MO.164 RUMOW01E" 213.133.107.164 255.255.255.255 set address "DMZ" "MO.165 RUMOW05E" 213.133.107.165 255.255.255.255 set address "DMZ" "MO.167 RUMOW05" 213.133.107.167 255.255.255.255 set address "DMZ" "MO.168" 213.133.107.168 255.255.255.255 "virt IP at rumow05e" set address "DMZ" "MO.169" 213.133.107.169 255.255.255.255 "+ ftp" set address "DMZ" "MO.170" 213.133.107.170 255.255.255.255 "virt IP at rumow05e" set address "DMZ" "MO.171" 213.133.107.171 255.255.255.255 "virt IP at rumow05e" set address "DMZ" "MO.175" 213.133.107.175 255.255.255.255 set address "DMZ" "MO.180 Test" 213.133.107.180 255.255.255.255 "test" set address "DMZ" "MO.187 CentOS" 213.133.107.187 255.255.255.255 set group address "Trust" "MO AsyncPool 056-079" set group address "Trust" "MO AsyncPool 056-079" add "MO-LAN-IP-056" set group address "Trust" "MO DHCP Range 110-129" set group address "Trust" "MO DHCP Range 110-129" add "MO-LAN-IP-110" set group address "Trust" "MO DHCP Range 130-159" set group address "Trust" "MO DHCP Range 130-159" add "MO-LAN-IP-130" set group address "Trust" "MO DHCP Range 160-189" set group address "Trust" "MO DHCP Range 160-189" add "MO-LAN-IP-160" set group address "Trust" "MO DHCP Range 190-219" set group address "Trust" "MO DHCP Range 190-219" add "MO-LAN-IP-190" set group address "Trust" "MO DHCP Range 220-228" set group address "Trust" "MO DHCP Range 220-228" add "MO-LAN-IP-220" set group address "Trust" "MO ICQ Users 045-054" set group address "Trust" "MO ICQ Users 045-054" add "MO-LAN-IP-045" set group address "Trust" "MO Manual Range 030-044" set group address "Trust" "MO Manual Range 030-044" add "MO-LAN-IP-030" set group address "Trust" "MO Manual Range 030-044" add "MO-LAN-IP-044" set group address "Trust" "MO Servers 005-029" set group address "Trust" "MO Servers 005-029" add "MO-LAN-IP-005" set group address "Trust" "MO Servers 005-029" add "MO-LAN-IP-029" set group address "Trust" "MO Test zone 080-095" set group address "Trust" "MO Test zone 080-095" add "MO-LAN-IP-080" set group address "Trust" "MO Test zone 080-095" add "MO-LAN-IP-095" set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 2 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit log count set policy id 2 exit set policy id 38 from "Trust" to "DMZ" "Any" "213.133.107.190/32" "ANY" nat dst ip 10.41.3.14 permit log count set policy id 38 exit set policy id 4 from "Trust" to "DMZ" "Any" "Any" "ANY" permit log count set policy id 4 exit set policy id 7 from "DMZ" to "Trust" "Any" "Any" "ANY" permit log count set policy id 7 exit set policy id 8 from "Untrust" to "DMZ" "Any" "MO DMZ Interface" "PING" permit log count set policy id 8 exit set policy id 10 from "Trust" to "Untrust" "MO Manual Range 030-044" "Any" "ANY" permit log count set policy id 10 set src-address "MO Servers 005-029" exit set policy id 11 from "Trust" to "Untrust" "MO AsyncPool 056-079" "Any" "ANY" permit log count set policy id 11 exit set policy id 29 from "DMZ" to "DMZ" "Any" "Any" "ANY" permit log count set policy id 29 exit set policy id 1 from "Trust" to "Untrust" "MO DHCP Range 110-129" "Any" "ABN AMRO" permit log count set policy id 1 set src-address "MO DHCP Range 130-159" set src-address "MO DHCP Range 160-189" set src-address "MO DHCP Range 190-219" set src-address "MO DHCP Range 220-228" set src-address "MO ICQ Users 045-054" set service "FTP" set service "HTTP" set service "HTTPS" set service "ICA" exit set policy id 16 name "MO Citrix" from "Untrust" to "Trust" "Any" "MIP(213.133.107.174)" "FWAnalyzer" permit log count set policy id 16 set service "GRE" set service "PING" set service "PPTP" exit set policy id 17 name "MO Citrix" from "Untrust" to "Trust" "Any" "MIP(213.133.107.190)" "DNS" permit log count set policy id 17 set service "PING" exit set policy id 19 from "Untrust" to "DMZ" "Any" "MO.163 RUIT01" "HTTP" permit log count set policy id 19 set service "Notes" set service "PING" exit set policy id 20 from "Untrust" to "DMZ" "Any" "MO.164 RUMOW01E" "Notes" permit log count set policy id 20 set service "PING" exit set policy id 21 from "Untrust" to "DMZ" "Any" "MO.165 RUMOW05E" "HTTP" permit log count set policy id 21 set service "Notes" set service "PING" exit set policy id 22 from "Untrust" to "DMZ" "Any" "MO.167 RUMOW05" "HTTP" permit log count set policy id 22 set service "Notes" set service "PING" exit set policy id 23 from "Untrust" to "DMZ" "Any" "MO.168" "FTP" permit log count set policy id 23 set service "HTTP" set service "PING" exit set policy id 24 from "Untrust" to "DMZ" "Any" "MO.169" "eMule" permit log count set policy id 24 set service "FTP" set service "HTTP" set service "HTTPS" set service "MDaemonWC" set service "PING" set service "POP3" set service "SMTP" exit set policy id 25 from "Untrust" to "DMZ" "Any" "MO.170" "FTP" permit log count set policy id 25 set service "HTTP" set service "PING" exit set policy id 26 from "Untrust" to "DMZ" "Any" "MO.171" "FTP" permit log count set policy id 26 set service "HTTP" set service "PING" exit set policy id 27 from "Untrust" to "DMZ" "Any" "MO.175" "HTTP" permit log count set policy id 27 set service "Notes" set service "PING" exit set policy id 31 name "MO Citrix" from "Untrust" to "Trust" "Any" "MIP(213.133.107.162)" "HTTP" permit log count set policy id 31 set dst-address "MIP(213.133.107.173)" set service "ICA" set service "ICA Browser" set service "PING" exit set policy id 32 from "Trust" to "Trust" "Any" "Any" "ANY" permit log count set policy id 32 exit set policy id 33 from "Trust" to "Untrust" "MO DHCP Range 110-129" "MO login.icq.com" "ANY" deny log count set policy id 33 set src-address "MO DHCP Range 130-159" set src-address "MO DHCP Range 160-189" set src-address "MO DHCP Range 190-219" set src-address "MO DHCP Range 220-228" exit set policy id 34 from "Trust" to "Untrust" "MO Test zone 080-095" "Any" "ANY" permit log count set policy id 34 exit set policy id 36 from "Untrust" to "Untrust" "Any" "213.133.107.139/32" "ANY" permit log count set policy id 36 exit set policy id 37 from "Trust" to "Untrust" "Any" "Dial-Up VPN" "ANY" tunnel vpn "MOGateIKE" id 2 l2tp "MOIT" log count set policy id 37 exit set syslog config "10.41.3.24" set syslog config "10.41.3.24" facilities local0 local0 set syslog config "10.41.3.24" log traffic set syslog src-interface bgroup0/0 set syslog enable set firewall log-self set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 unset license-key auto-update set ntp server "192.36.143.150" set ntp server src-interface "ethernet0/2" set ntp server backup1 "130.149.17.8" set ntp server backup1 src-interface "ethernet0/2" set ntp server backup2 "130.149.17.21" set ntp server backup2 src-interface "ethernet0/2" set ntp interval 5 set snmp community "dom3a5f" Read-Write Trap-on traffic version v2c set snmp host "dom3a5f" 10.41.3.0 255.255.255.0 src-interface bgroup0/0 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 10.0.0.0/8 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 10.41.0.0/16 interface bgroup0/0 gateway 10.41.3.24 preference 20 permanent set route 10.41.32.0/19 interface bgroup0/0 gateway 10.41.3.7 preference 20 permanent set route 10.41.80.0/24 interface bgroup0/0 gateway 10.41.3.7 preference 20 permanent set route 10.41.64.0/24 interface bgroup0/0 gateway 10.41.3.7 preference 20 permanent set route 140.85.0.0/16 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.165.0/27 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.168.0/22 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.173.64/26 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.177.160/28 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.177.192/28 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.175.32/28 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.184.32/28 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.88.0/25 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.89.0/24 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.96.0/21 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.104.0/22 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.214.0/23 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.216.0/22 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.220.0/25 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 148.87.224.0/23 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 141.146.164.48/28 interface bgroup0/0 gateway 10.41.3.2 preference 20 permanent set route 213.133.107.174/32 interface ethernet0/2 preference 20 permanent set route 213.133.107.173/32 interface ethernet0/2 preference 20 permanent set route 213.133.107.162/32 interface ethernet0/2 preference 20 permanent exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit

     

     

    Dmitry



  • 10.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 15:59

    Hi,

     

    From your config it looks like your MIPs are pointing to something in the trust zone, I thought you were trying to get to something is the DMZ zone??? Below is parts from your config. It looks like the MIP is listening to an IP on the untrust put then sending to a host 10.41.3.x, that ip address is in a network that is out of bgroup0/0 10.41.3.1/24. Is this correct?? Your policies show Untrust to DMZ for the MIP access.

     

    set interface "ethernet0/1" zone "DMZ"
    set interface ethernet0/1 ip 213.133.107.145/28


    set interface "bgroup0/0" zone "Trust"
    set interface bgroup0/0 ip 10.41.3.1/24

     

    set interface "ethernet0/2" mip 213.133.107.162 host 10.41.3.8 netmask 255.255.255.255 vr "trust-vr"
    set interface "ethernet0/2" mip 213.133.107.173 host 10.41.3.9 netmask 255.255.255.255 vr "trust-vr"
    set interface "ethernet0/2" mip 213.133.107.174 host 10.41.3.24 netmask 255.255.255.255 vr "trust-vr"
    set interface "ethernet0/2" mip 213.133.107.190 host 10.41.3.14 netmask 255.255.255.255 vr "trust-vr"



  • 11.  RE: Access from Trust to MIP - is it possible?

    Posted 08-31-2008 23:17

    Hi,

    Yes, correct. I have some devices for which I need grant access to DMZ undepends from where they connected. This devices may be connected to internet as well as to LAN. Also I can not use server with real IP at DMZ range, I have to use NAT. So I choose the MIP functionality and try to reach IP from trust zone to trust zone by using MIP.

     

    It was my question.

     

    I've learned that if I add static route to untrust, that the packets are goes out from untrust, next comes back to untrust interface. In this case MIP is reachable from trust.

    So the goal is "to explain" to SSG that when I make ping dst=213.133.107.190 and src=10.41.30/24 then SSG have to route packet to 10.41.3.14.

     

    How to do that?

     

    Dmitry.



  • 12.  RE: Access from Trust to MIP - is it possible?
    Best Answer

    Posted 09-02-2008 04:54

    Hello Dmitry

     

    Here are the steps needed:

     

    > Have a route for 213.133.107.190 pointing to bg0 (there is no need for gateway. ensure that the route is active).

    >  Have a policy from Trust to Trust (above any any policy # 32). The source any destination should be 213.133.107.190. Please note that the destination address book entry is not the global entry for MIP(213.133.107.190). You would need to create a new one.

    > Enable Source translation NAT-Src in this policy and also enable NAT-Dst destination translation. Have the translate to IP as 10.41.3.14.

     

    Hope this helps.

     

    Best Regards,

     

    Vikas 



  • 13.  RE: Access from Trust to MIP - is it possible?

    Posted 09-02-2008 05:57

    Hello Vikas,

     

    Thanks a lot! Now I got exactly what I wanted Smiley Happy

     

    Dmitry