Policy nat-dst and pbr



  • Hi all,
    i have search in the forum but nothing…

    I have a ssg 140, three ints (trust, untrust and dmz)

    I’m try to configure policy nat-dst to accomplish this scenario:

    the public ip AAA connect to public ip BBB
    the public ip CCC connect to public ip BBB

    AAA should connect to a server in the lan of the trust interface
    CCC should connect to a server in the lan of the dmz interface

    i have configured two policies (spec adv option dest trasl, BBB ip)

    but for the static route?

    ip BBB should be routed to trust interface in the first case, to the dmz interface in the second case

    i have try to configure pbr, but nothing…

    do you have any suggestion?

    thanks



  • If you want to configure one and the same service in one and the same public IP to go wo different servers, then usually I use a simple workaround - for one I use default port forwarding with VIP but for another I create another service and in VIP configuration I “translate/map” that other port to the port that is working in the server.

    The most common example is to set up working two different webservers in one and the same address, one is accessible http://ip4.me and another http://ip4.me:81 and 81 is “Virtual Port”, 80 is “Map to Service” port in VIP conf. If PBR doesn’t work, then you should use this.



  • thank you echo,
    the two servers are two as400 and they use the standard tn5250 eumlator (telnet)…

    So I’m in the second case, i have try to configure pbr [extendend access list, match group, action group (next hop the right interface) and policy] but don’t work…

    Bye



  • I understand that
    src AAA (from somewhere) goes to BBB (in SSG140) and is forwarded to a server in trust zone and
    src CCC (from somewhere) goes to BBB (in SSG140) and is forwarded to a server in dmz zone.
    The question: do you need to forward ALL traffic or just certain services?

    If just certain services then make a VIP on BBB address so that certain services go to one server (just use the right IP in configuring the VIP) and other services to another.

    Or you want to forward one and the same service to two different servers and the differentiation is made only by the src address? I think then you should use PBR, but that is not very easy to understand and get it working because there are so many possibilities for doing things with PBR.


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts