ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

PBR and MIP on same IP address

10.16.10   |  
‎10-16-2010 01:07 AM

Hi heverybody,


We have a SSG140 (ScreenOS 6.2.0) and two Internet Providers (ISP1 and ISP2).

Default gateway for all traffic is on ISP1 but we want to direct Mail server to ISP2.

Mail server uses a private address ( that is translated using MIP.


How we can configure a PBR to enforce the Mail traffic to be directed to IPS2 (using a public address fro ISP2 addressing space) ?

Have the PBR to be configured referring to the real server IP or to the translated MIP address ?

Have we to add specific Policy ?


We already tried to configure PBR that performs well itself, but when we introduce the MIP in order to translate -> ISP2 public address we fall in trouble.


Policies, PBR and interfaces are all configured on the trust-vr.


Thanks in advance.

Giuseppe Proietti


ScreenOS Firewalls (NOT SRX)

Re: PBR and MIP on same IP address

10.18.10   |  
‎10-18-2010 01:55 AM

Hi Guiseppe,


This might be a problem with assymetric routing over Internet.  The outbound direction should be OK.  The problem is the inbound sessions. The packets arriving over ISP2 connection are correctly forwarded to but the response packets are sent to ISP1. I would try to use "unset flow reverse-route-clear text" to disable the route lookup for the reverse direction. The SSG will be sending the response packets using the cached MAC address.

You can also configure source based routing for instead of PBR. SBR is much simpler and does the same in your case.


Kind regards,


Kind regards,