ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

NS5GT - outbound traffic blocked out of dmz: "close - age out"

[ Edited ]
02.17.08   |  
‎02-17-2008 12:55 PM

I recently changed the configuration of my ns5gt to extended to ta advantage of the dmz zone.
unfortunately, there is no way to allow trafic from dmz to untrust, even thoufh the exact same rule applies to the trust zone (trust to untrust).
All I get is "close - age out" as a reason for the trafic to be blocked on the policy dmz->untrust. This obvsiously should have nothing to do with protocol timeouts.
Did i miss something or are there implicit rules that apply to the dmz zone?

eth1 untrust route
eth2 trust nat
eth3 dmz nat

dmz -> untrust permit any (should be narrowed, but it's about troubleshooting) -> doesn't work
trust -> untrust permit any -> ok
trust -> dmz permit any -> ok
and 2 other rules for nat port forwarding (vip::ethernet3) -> ok

Message Edited by Jeannot on 02-17-2008 12:56 PM
ScreenOS Firewalls (NOT SRX)

Re: NS5GT - outbound traffic blocked out of dmz: "close - age out"

02.18.08   |  
‎02-18-2008 05:01 AM
oops, I guess it's answered in thread
set policy from dmz to untrust any any any nat src permit