SSG 5: Problem creating my own Zones

  • Hi

    When I make my own Zones; and afther that I make a policy that allows any traffic from any address in this zone to any address in untrusted (builtin) zone. All I can do is ping the outer interface of my FW, I can’t make it reach any further… Any one have any suggestions?


  • (Sorry for the late reply; easter) IC, well, thank you very much!

  • Yea, that is allright. There is a “grammatical bug” in the firmware for a long time already so that different parts of that tooltip are written right after each other with no space in between. So the real meaning is: “Index: 18” “Policy based NAT” “NAT (Use Interface IP)”.

  • Thank you very much! Phew, that seems to solve it.

    Now, under the policy the action “button” is blue; and when hovering the mouse over it it says: “Index: 40Policy-based NATNAT (Use interface IP)”

    Is this how it should look? I just thought the “NATNAT” looked a bit “funny”?

    Thank you,

  • I know that if you do a custom zone and a policy from that zone to Untrust, then you have to use src-nat (default, egress) in advanced page of the policy. I don’t know why this is needed for custom zones and not for Trust zone on SSG-5, but that’s how it is.

  • Sure…

    This interface is setup as a subinterface in NAT mode. The parent interface is brgoup3 (and this is NAT as well). I would like to use this interface for customer machines coming in full of malware, thus I want a custom security zone for this subinterface/VLAN/subnett. However as soon as I try to make my own zones, instead of relying on the builtin ones, I can only reach as far as the outer interface/IP of my FW.

    Let me know if you need more info.

  • First a couple of questions……how are your interfaces set up e.g. Route or NAT mode. Can you also give a bit more detail about what you are trying to achieve.