ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Why can't I forward to my DMZ Web Server?

[ Edited ]
‎03-21-2013 05:01 PM

I have a simple network on SSG20 running 6.3.0r13.0


4 zones

Trust (2 interfaces: and

1 Untrust (1 Public interface - public ISP)

DMZ (1 interface


Untrust is connected to static IP from ISP.


Untrust has VIP pointing to web server in DMZ (port 81) and a server in Trust (port 80)


The VIP to Trust works fine.

From DMZ I can access Trust and Untrust services (have Any-Any policies for now)

I have src-NATed DMZ-to-Untrust Policy


I have Internet access from Trust (and DMZ also) via route configuration. See attached cfg.


For the life of me, I cannot figure out why traffic is not getting forwarded from Internet to DMZ server! when I do a debug trace, I see traffic being forwarded to DMZ server (, but nothing comes back. How can that be when the server has all access to the outside?


Much appreciated.





ScreenOS Firewalls (NOT SRX)
Accepted by topic author acclaim
‎08-26-2015 01:27 AM

Re: Why can't I forward to my DMZ Web Server?

‎03-21-2013 07:18 PM



1. do a 'get vip' and check status of VIP on dmz.
2. do src-nat on policy id 15.
3. get log traffic policy 15

If after above 3 steps you dont see a response from Server, then I suggest to do a packet capture on server.

Hope this helps.




ScreenOS Firewalls (NOT SRX)

Re: Why can't I forward to my DMZ Web Server?

[ Edited ]
‎03-22-2013 07:28 AM

You are correct!


The issue was on the server. After doing a tcpdump trace, I realized Linux firewall was blocking port 80.