Screen OS

Hello,

My company has recently acquired a SSG5 device.We have a small network where some user/PCs (bosses) need full access to the Internet while others should only have restricted access (employees).

After reading a lot in the documentation, I didn't succeed to achieve this.

I read in this forum that it was not possible to define MAC address based policies and looked for another solution.

I neither didn't find a way to define policies based on IP pools in the same subnet (ex: bosses' pcs would go from 192.168.1.2 to 192.168.1.10 and employees' PCs from 192.168.1.100 to 192.168.1.120)

Without still knowing if it is the best alternative, I did the following:

1° creation of two security zones: one for the bosses and another for the employees. They are on two different subnets: 192.168.1.0/24 and 192.168.2.0/24. I would have wanted the same subnet to allow traffic between PCs via the switch (only) and bypass the firewall, but is apparently not possible.

2° binding of ethernet port 0/2 and 0/3 to interface bgroup0 and ethernet port 0/4, 0/5 and 0/6 to interface bgroup1

3° assigning bgroup0 interface to boss security zone and bgroup1 to employee security zone

4° creation of the following policies: boss to employee:full access / employee to boss:full access / boss to untrust: full access /employee to untrust: limited access (based on services and service groups selection)

I cannot get internet access for (at least) the boss "group"

When I assign back the bgroup0 interface to the trust security zone, I have again Internet access.

What is missing in my config ?

Is it the best way to achieve the seeked goal ?

Thank you in advance for your help.

Regards,

David 

Hi,

I guess traffic for boss zone to untrust zone is not getting NAT. So do the following:

Go to the policy which u made for boss security zone to untrust zone->Advance-> Here check source translation and select using egress interface ip

I hope this vl solve ur problem.

Thanks

Hello Kashif,

Thank you for your advice about NAT resolution. It solved effectively the problem

I saw that the ethernet0/0 interface was by default set to "route" mode, the bgroup0 (initially assigned to the trust zone and now to the bosses zone) by default to "NAT" mode and any newly configured bgroup to "route" mode (bgroup1/employees).

Wouldn't it be advisable to set the ethernet0/0 interface to "NAT" mode and the bgroup0 and bgroup1 interfaces to "route" mode ? 

Regards,

David

Hi,

See Interface mode can be route or NAT. If interface mode is NAT, then all recieving traffic on this interface will take the ip of outgoing interface as source IP. Actually this works when traffic is traffic is travelling from trust to untrust zone (not for user defined zone) If interface mode is route, then all recieving traffic on this interface will retain its own source ip when it leaves outgoing interface.

So interface mode relates to source natting. If u want to do source natting then it signifies and u have to put interface in NAT mode (but this works only for trust zone to untrust zone not for user defined zone, If user defined zone as in ur case then for source natting user policy based natting as i suggested u and solved ur problem) otherwise simply put interfaces in route mode, this will make no problem.

I hope u understood.

Thanks

Hello Kashif,

Thank you again for the time spent to explain me those basic "newbies" stuffs

I got the first part of your message and verified it in the logs.

As I said in my initial message, I set both internal zones interfaces (bgroup0 and bgroup1) to route mode so that the original source IPs are kept (no natting, just routing) and the ethernet0/0 interface (untrust zone) to NAT mode so that the source address remains unknown from the outside world

It seems to be working as expected since internal zones' addresses are always translated to the ethernet0/0 value and thus never shown.

What I didn't get is this sentence: "If user defined zone as in ur case then for source natting user policy based natting as i suggested u and solved ur problem)". Can you explain ?

Many thanks

David 

Hello David,

Tell me the name of zonesof bgroup 0 and bgroup 1. I vl explain u what i was saying.

Thanks

tc

Kashif

Hello Kashif,

bgroup0: transauto-master

bgroup1: transauto-slave

Regards,

David 

Hi David,

See when u put trust interface in NAT mode and traffic goes from trust to untrust zone then source IP is translated in to untrust IP.

When traffic goes from user define zone (the zone created by u) to untrust zone then although u put interfaces in user define zone in NAT mode but source translation does not happen. It has two solutions:

1) The VR of user define zone and untrust zone should different (dont confuse by this solution)

2) U should use policy based source natting, as u did u went in policy from user define zone to untrust zone->Advanced-> u checked source translation

Hopes u understood

Thanks

Setting NAT on the interface is what's called interface NAT. Policy NAT is NAT defined in the policy as Kashif recommended earlier. Interface NAT only works when using predefined trust or DMZ zones. As soon as you defined a custom zone and assign that interface to the custom zone, then interface NAT no longer works for that interface. Therefore in the situation where custom zones are used, you must use policy NAT.

In general I always recommend policy NAT anyway because it is more flexible and can perform the same function as interface NAT.

-Richard

This is pretty easy to do actually.  Here is what you can do.

"bgroup0" --> Untrust "Port=eth0/0"

"bgroup1" --> Trust "Port=eth0/1" (Boss Zone)

"bgroup2" --> Trust "Port=eth0/2" (Employee Zone)

Policies:

Trust to Trust intrazone policy allow all

Bozz Zone(Trust) to Any(Untrust) Allow all

Employee Zone(Trust) to Any(Untrust) Deny

Hope this helps.  Let me know the results.