Screen OS

Hi all,

I have ssg-550 with 6.2 screenos, this device is configure in route mode with few servers behind it, each server is in own security zone, an have different vlan id.

Now I have to move one subnet behind ssg-550, but this subnet is already in nat mode, and I can not change it.

Is it possible to do it?

If yes, what is the best way to do it?

Thanks.

Can't change it?! You can allways change the NAT or Route mode on interface level. Set int <ethernet0/x route should do it!

Anyway: My advise as experienced user and instructor on ScreenOS: Allways put every interface in rioute-mode and do the natting in the policy. It's so much more clear what's going on with natting that way!

HI  zvitins

does the subnet on trust zone ? if not u can ignore it neither in route mode or nat mode. but if your subnet that you want to move in trust zone and the there is a existing policy from trust to untrust you can change it from interface base nat to policy base nat. because interface base nat only valid for traffic from trust to untrust where interface in trust zone you set in nat mode

thanks

EL

Hi,

I describe more detailed my situation.

untrust zone (IP 1.1.1.1/29) <> trust zone1 2.2.2.0/28, trust zone2 3.3.3.0/28, trust zone3 4.4.4.0/27 etc ...

my new subnet have ext 5.5.5.0/28 and int 172.16.16.0/24 there are about 500 websites and all connections to databases servers connects internaly - thats why I can not change IP addreses for servers.

I can create trust zone5 with IP 5.5.5.0/28, but what is the best way to NAT it?

I know how to create VIP, MIP, DIP, but as I understand it is not the way how to do it in this case.

I have no experience with policy nat, but if it helps I can learn it.

Thanks.

Hi Zvitins

if u mind please send me the logical topology and current config ( u can mask the important information ). sorry i'm not really understand about your explanation

thanks

EL

Hi,

I am not a very big visio spec but I made simple picture.

I my config without policy abd other stuff is:

set zone id 100 "internet"

set zone id 101 "trust1"
set zone id 102 "trust2"
set zone id 104 "trust3"
set zone id 105 "trust4"
set zone id 106 "trust5"
set zone id 107 "trust6"
set zone id 108 "trust7"
set zone id 109 "trust8"
....
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "internet" tcp-rst 
set zone "trust1" tcp-rst 
set zone "trust2" tcp-rst 
set zone "trust3" tcp-rst 
set zone "trust4" tcp-rst 
set zone "trust5" tcp-rst 
set zone "trust6" tcp-rst 
....

set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "internet" screen on-tunnel
set zone "internet" screen icmp-flood
set zone "internet" screen udp-flood
set zone "internet" screen winnuke
set zone "internet" screen port-scan
set zone "internet" screen ip-sweep
set zone "internet" screen tear-drop
set zone "internet" screen syn-flood
set zone "internet" screen ip-spoofing
set zone "internet" screen ping-death
set zone "internet" screen ip-filter-src
set zone "internet" screen land
set zone "internet" screen syn-frag
set zone "internet" screen tcp-no-flag
set zone "internet" screen unknown-protocol
set zone "internet" screen ip-bad-option
set zone "internet" screen ip-record-route
set zone "internet" screen ip-timestamp-opt
set zone "internet" screen ip-security-opt
set zone "internet" screen ip-loose-src-route
set zone "internet" screen ip-strict-src-route
set zone "internet" screen ip-stream-opt
set zone "internet" screen icmp-fragment
set zone "internet" screen icmp-large
set zone "internet" screen syn-fin
set zone "internet" screen fin-no-ack
set zone "internet" screen limit-session source-ip-based
set zone "internet" screen block-frag
set zone "internet" screen limit-session destination-ip-based
set zone "internet" screen icmp-id
set zone "internet" screen tcp-sweep
set zone "internet" screen udp-sweep
set zone "internet" screen ip-spoofing drop-no-rpf-route
set zone "internet" screen limit-session source-ip-based 256
set zone "internet" screen limit-session destination-ip-based 2048
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/0.2" tag 71 zone "trust2"
set interface "ethernet0/0.4" tag 73 zone "trust3"
set interface "ethernet0/0.5" tag 75 zone "trust4"
set interface "ethernet0/0.6" tag 76 zone "trust5"
set interface "ethernet0/0.7" tag 77 zone "trust6"
......
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "internet"
unset interface vlan1 ip
set interface ethernet0/0.1 ip 1.1.1.1/29
set interface ethernet0/0.1 route
set interface ethernet0/0.2 ip 2.2.2.2/29
set interface ethernet0/0.2 route
set interface ethernet0/0.3 ip 4.4.4.1/29
set interface ethernet0/0.3 route
set interface ethernet0/0.4 ip 3.3.3.1/29
set interface ethernet0/0.4 route
......

set interface ethernet0/2 ip 20.20.20.5/26
set interface ethernet0/2 route

set interface ethernet0/0.1 mtu 1500
set interface ethernet0/0.2 mtu 1500
set interface ethernet0/0.3 mtu 1500
set interface ethernet0/0.4 mtu 1500
set interface ethernet0/0.5 mtu 1500
set interface ethernet0/0.6 mtu 1500
set interface ethernet0/0.7 mtu 1500
set interface ethernet0/0.8 mtu 1500
set interface ethernet0/0.9 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 manage-ip 20.20.20.20/32
set interface ethernet0/0.1 ip manageable
unset interface ethernet0/0.2 ip manageable
unset interface ethernet0/0.3 ip manageable
unset interface ethernet0/0.4 ip manageable
unset interface ethernet0/0.5 ip manageable
unset interface ethernet0/0.6 ip manageable
unset interface ethernet0/0.7 ip manageable
unset interface ethernet0/0.8 ip manageable
unset interface ethernet0/0.9 ip manageable
unset interface ethernet0/0.10 ip manageable
unset interface ethernet0/0.11 ip manageable
unset interface ethernet0/0.12 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/0.2 manage ping
set interface ethernet0/0.3 manage ping
set interface ethernet0/0.4 manage ping
set interface ethernet0/0.5 manage ping
set interface ethernet0/0.6 manage ping
set interface ethernet0/0.7 manage ping
set interface ethernet0/0.8 manage ping
set interface ethernet0/0.9 manage ping
set interface ethernet0/0.10 manage ping
set interface ethernet0/0.11 manage ping
set interface ethernet0/0.12 manage ping
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage web
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname device-a
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror route
set nsrp vsd-group init-hold 25
set nsrp vsd-group hb-threshold 4
set nsrp vsd-group hb-interval 200
set nsrp vsd-group id 0 priority 1
set nsrp encrypt password xxxxxxx
set nsrp auth password xxxxxxxxx
set nsrp monitor interface ethernet0/2
set nsrp monitor track-ip ip
set nsrp monitor track-ip ip 11.111.11.1 weight 255

....

Hello,

any ideas about this problem?

Do you want to NAT from untrust to the servers or From servers to untrust, it's not getting clear to me.

Hi  Screenie,

I try to describe my situation again.

I already described my current configuration for ssg-550 cluster.

I also have one ssg-140 what is configured in nat mode:

...
set interface trust ip 192.168.248.1/28
set interface trust nat
set interface untrust ip 1.2.3.5/26
set interface untrust route
...

Now I have to move network/servers from ssg-140 to ssg-550, but I can not change internal or external IP addresses for servers behind ssg-140.

At this moment behind ssg-140 are web and sql servers, and users have to access these servers via http,ssh and sql ports.
Servers have to access some external resursies via ftp and http.

I want to find the best way how to do it.

Thanks.

Hi zvitins

1. Does your SSG140 as a default gateway for your server that you want to move ?

2. Does your server also accessed by another server ?

3. i think you should know the data flow or traffic flow before you migrate it.

4. and if your public ip reside on SSG140 you should make a link between SSG140 and SSG550

thanks

EL

Hi ELKIM

1. Yes, ssg-140 is as a default gw for servers, but we have only one device and that is reason why I want to move these servers to ssg-550 cluster.

2. In internal subnet all servers can comunicate with each other, all servers are in one security zone.

When I understand how to do configuration on ssg-550 I will schedule downtime, turn off ssg-140 and move IP addresses to ssg-550.

Thanks

So you can load the SSG140 config on one 550, create cluster, and change the 140 for the cluster. No changes on natting I believe.

Hi,

when I load config from ssg-140 to ssg-550 I believe, I lost my current configuration on ssg-550 cluster, it cannot be allowed, because it is very important working environment.

I need to integrate ssg-140 config in this working environment, without disrupting the already running services.

Since you have an operational system already, you can use the "merge" function in the load configuration.

You will need to open the configuration file for your SSG140 in a text editor.  Then pull out the commands for your zones, interfaces and rules that are not in the SSG550 yet.  Edit any interface numbers as needed to match the new location.

Save this subset of commands in a separate text file. 

On your primary firewall in the web interface go to:

Configuration--Update--Config File

Select your new text file and the merge option.

This will execute all these configuration options as a group on the new primary firewall.  Then sync these with the backup if this is not configured as automatic in your cluster.

Hi Spuluka,

I know about merge function.

As I have operational system already, I am worried about what is the correct way to merge my configs.

I have on ssg-550 on untrust int IP x.x.x.x but on ssg-140 on untrust y.y.y.y, I want to know where to put IP from ssg-140 to ssg-550 and what is the best way to NAT this subnet.

In this case I need advice not how to configure my device, but the whole concept/idea how to put on ssg-550 (where all interfaces are in route mode) interface with nat - is it possible at all or it is does not matter?

My idea is to create two zones on ssg-550, one for y.y.y.y second for internal subnet.

ssg-550

             route             nat

untrust <----->y.y.y.y<----->internal IP

                      zone1          zone2

Thanks

Sorry for my confusion.  Let's see if I understand this now.

If I understand correctly you have the NAT rules and sub-interfaces created and working on the SSG-140.  And that you are retiring this device.  Is that true?

If so, then you could:

Move the configuration of the interface on ssg-140 on untrust y.y.y.y to a new port on the SSG-550.  Create the zones and sub-interfaces all as they are there and just change interface names as needed.

Or

If this is another ip range that can be delivered onto your existing interface on ssg-550 on untrust int IP x.x.x.x.  Then you could load that IP group onto a loopback interface instead. Then you still migrate all the zones, policies and sub-interfaces as above.

I hope I understand correctly what you are trying to accomplish.

Hi,

on ssh-140 are no sub-interfaces, only two interfaces with nat.
sub-interfaces are created on ssg-550 where I want to move servers which are behind ssg-140


On ssg-550 are no free eth ports, I will try your second suggestions.
You mean to put on ssg-550 y.y.y.y on untrust like secondary IP?

I am assuming that your additional IP range is in the untrust zone since you are using NAT to servers.  You cannot set a secondary IP address in the untrust zone.  Instead you create a loopback interface for the secondary range.

This is under Network--Interfaces in the web UI.  Create  a new interface and assign it to untrust with the secondary IP address and mask for that range.  The loopback interfaces are numbered loopback.1 loopback.2 and so on. 

You can then create your NAT just as if this were a physical port.

Hi Spuluka.

Thanks, I will try your suggestion.