2 Untrust Interfaces & 2 NAT IP addresses



  • In my current setup I have a SSG140 with several  trusted interfaces and one Untrusted interface.
    My inside PC, when it connects to the Internet are getting natted to the public IP.
    Now I would like to assign one more interface to Untrusted zone which connects to our partner network.

    Now can I configure another NAT IP, on partner network segment, so that when the inside PC connects to partner network, it gets natted to another IP address?



  • when I execute
    get log traffic src_ip
    for the allowed traffic I do not see any logs.But if I telnet on non allowed port, I can see the traffic getting denied. Please advice.



  • Ok, if possible, collect a flow basic debug. Check the below link for info on setting it up:

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB12208&actp=search&viewlocale=en_US&searchid=1349333368779

    This will give you a better idea on what is happening to the data…



  • Yes, I have defined static routes for the partner network pointing to their router on e0/4 interface.
    I have tried telnet at the command prompt. I do not see any logs on the corresponding access rule which allowes tcp 5020. If I telnet on non allowed (other than 5020) port then I can see the logs on the clean up rule without any translation getting denied.



    • What is the partner subnet you are trying to connect to? If it is anything other than 192.168.12.x/24, you will need route configured for that network, pointing to e0/4. If not, the FW will send this traffic out your ISP interface rather than e0/4
    • Since your policy is for TCP 5200, you would not see ICMP in there. See if you can add ICMP to this policy, enable logging and then test again
    • you can also test for TCP 5200 -> from the cmd prompt of a LAN machine, type ‘telnet <partner machine="" ip="">5200’ and see if it generates any llogs on the policy</partner>


  • @ataro:

    Let me explain you the whole topology.
    SSG140 with 2 in DMZ and one Untrust Interface. Untrust has got public IP address and everything is working fine.

    Now I have defined one more interface e0/4 as Untrust with the private IP 192.168.12.1/24 which connects to our partners router. I have defined DIP on this interface as 192.168.12.10.
    Added static routes for partner network.
    Now an access rule on top, from Trust to Untrust allowing tcp/5200, advanced option, select Source Translation, DIP(192.168.12.10).

    What’s wrong with the above rule base? I am unable to connect to partner network. I do not have access to parner router. So how can I investigate further? i do not see any logs for icmp on the top most rule allowing icmp.



  • Let me explain you the whole topology.
    SSG140 with 2 in DMZ and one Untrust Interface. Untrust has got public IP address and everything is working fine.

    Now I have defined one more interface e0/4 as Untrust with the private IP 192.168.12.1/24 which connects to our partners router. I have defined DIP on this interface as 192.168.12.10.
    Now an access rule on top, from Trust to Untrust allowing tcp/5200, advanced option, select Source Translation, DIP(192.168.12.10).

    What’s wrong with the above rule base? I am unable to connect to partner network. I do not have access to parner router. So how can I investigate further? i do not see any logs for icmp on the top most rule allowing icmp.



  • You don’t need a NAT rule here. Assign this ‘single’ IP to the interface which connects to the partner network. Lets say this interface is in ‘Partner’ zone. Create a policy to allow trafffic from your LAN to this partner zone and enable ‘NAT - use egress interface IP’ on this policy. This will take care of things.

    In case you are expecting incoming traffic from the partner side to your servers, you will need to create VIPs on this interface, mapping it to internal servers basded on ports…



  • That’s correct, the partner net is also a private IP range but still we use NAT because we expose just a single server to the partner net.
    Can I have multiple NAT rules based on the source/destination?



  • Hi, need a bit more clarification on your question.

    I assume: You have 1 ISP link on lets say e0/0 and the default route would be pointing to this interface and ISP gateway. So, all internet traffic from LAN will go out of this interface and use its IP for NAT.

    Now the partner network you wish to incluse, is it in a different subnet whne compared o your ISP. If yes, then you just need one more interface, where you an assign one IP from the new subnet. You will need a route to the partner network, instructing the SSG to send all that traffic through the new interface. You may need policies based on which zone you place the interface in.



  • Can anyone advice on this. I need to assign the partner network to untrust zone and then define MIP right?


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts