ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG VIP/NAT issue?

‎12-06-2013 07:10 AM

I have an SSG I am having an issue creating a VIP on. The SSG has an external interface (sanitized for this post) at

I created a VIP using an extra address I have at I created a rule to allow the traffic, and the VIP:

myssg-> get config | in 223
set interface ethernet0/0 vip 22 "SSH"
set address "Trust" ""
set policy id 52 from "Untrust" to "Trust"  "Any" "" "ANY" nat src dst ip port 22 permit log
set route vrouter "untrust-vr" preference 20 metric 1

The SSG can ping the device just fine however, I cannot SSH, nor SFTP anything from the outside world (untrust) and have it forward to the internal side.

eth0/0 ( is using NAT (set interface ethernet0/0 nat)

So I'm brainfarted on this one.

ScreenOS Firewalls (NOT SRX)

Re: SSG VIP/NAT issue?

‎12-06-2013 11:38 PM



Please follow the link.


The policy seems to be incorrect. When you create a VIP, there will be a object created , use the VIP object.


Let me know if you still have any issue.


Thanks & regards,