Screen OS

Setup : MIP on loopback interface ( VPN Zone ) and clients on Untrust interface ( Untrust Zone ) - all in trust-vr

Hi,

With the setup mentioned above. Would it be possible for clients on the untrust interface to connect to MIP's configured on the looopback interface ? There are no members for this loopback interface.

Thanks,

Viks

Based on the question then you would need a route in trust-vr that points the IP of the MIP to the loopback interface.  Then add a permit policy from Untrust zone to VPN zone source whatever destination the MIP.

Cool, I thought that the request to a MIP should come from the same zone :(. Atleast that's what is mentioned in most of the Netscreen books.

Your answer has cleared my doubt 😄

btw, the loopback interface network is showing up as connected network in the trust-vr which is the only vr on the box.

It depends on what you are doing and how the MIP traffic gets to the firewall.  

The convention is correct if you are expecting the MIP to repond to ARP requests that are originating from the network side connected to an Untrust interface that is part of the Untrust zone.  If that is the case, the MIP needs to be on that Untrust interface OR that Untrust interface needs to be a member of the loopback group that has the MIP(also zones need to match).  However, those solutions are not needed if you are routing the MIP traffic to the firewall already via entries on an upstream router.