Prev: Netscreen ScreenOS
Next: Should I block ....
From: gerarddillon on 5 Oct 2005 01:53
I am trying to setup a Netscreen-25 with the following configuration:

Interface1: Trust (192.168.x.0/24)
Interface2: DMZ (10.10.10.0/24)
Interface3: Untrust (x.x.x.y/27)
Interface4: Untrust2 (x.x.x.x/27)

For the purposes of explaining what I want to achieve, I have
essentially set up the following policies:

1. Trust->Untrust (allow approved protocols)
2. Untrust->Trust (allow protocols via MIP/VIP)
3. Untrust2->Trust (allow protocols via MIP/VIP)
4. Untrust->DMZ (allow protocols via MIP/VIP)
5. Untrust2->DMZ (allow protocols via MIP/VIP)
6. Trust->DMZ (allow approved protocols)

I have setup default gateways for both of the Untrusted interfaces.

I can get policies 1 and 2 to work. I cannot get policy 3 to work.
Because I cannot get policy 3 to work I have not tested policy 4,5 and
6 yet.

I was wondering if what I am trying to do is impossible with an NS-25?
I can't get traffic to forward from the Untrust2 interface to a node in
the trusted LAN.

regards,

Gerard Dillon

From: Somebody. on 5 Oct 2005 22:12

<gerarddillon(a)hotmail.com> wrote in message
news:1128491580.678389.66010(a)z14g2000cwz.googlegroups.com...
>I am trying to setup a Netscreen-25 with the following configuration:
>
> Interface1: Trust (192.168.x.0/24)
> Interface2: DMZ (10.10.10.0/24)
> Interface3: Untrust (x.x.x.y/27)
> Interface4: Untrust2 (x.x.x.x/27)
>
> For the purposes of explaining what I want to achieve, I have
> essentially set up the following policies:
>
> 1. Trust->Untrust (allow approved protocols)
> 2. Untrust->Trust (allow protocols via MIP/VIP)
> 3. Untrust2->Trust (allow protocols via MIP/VIP)
> 4. Untrust->DMZ (allow protocols via MIP/VIP)
> 5. Untrust2->DMZ (allow protocols via MIP/VIP)
> 6. Trust->DMZ (allow approved protocols)
>
> I have setup default gateways for both of the Untrusted interfaces.
>
> I can get policies 1 and 2 to work. I cannot get policy 3 to work.
> Because I cannot get policy 3 to work I have not tested policy 4,5 and
> 6 yet.
>
> I was wondering if what I am trying to do is impossible with an NS-25?
> I can't get traffic to forward from the Untrust2 interface to a node in
> the trusted LAN.
>
> regards,
>
> Gerard Dillon

Ok, when you say
> 3. Untrust2->Trust (allow protocols via MIP/VIP)
What do you mean *exactly*?

A policy for a MIP or a VIP must have that vip/mip as it's destination
address, not the local address of the destination object. But, in case of
policy 3, you must define the MIP/VIP on eth3, not eth2 like you will need
to for policy 4 and 6.

You'll probably find that policy 6 is redundant because of policy 4,
depending which firmware rev you're running, but it might not be.

That all said, VIPs or MIPs in the DMZ or other zones are perfectly
allowable.

How about you post the line defining eth3, the line defining the MIP/VIP
you're using for policy 3, and policy 3 for us, as well as the lines
defining any address objects used in policy 3 or any custom service(s) used
in policy 3.. Just change one or two of the octets in the public addresses
for security purposes. That will make a good starting point for us to look
at.

-Russ.


 | 
Pages: 1
Prev: Netscreen ScreenOS
Next: Should I block ....