Multiple trust-vr zones using same Untrust zone



  • Must be missing something obvious/easy here …

    I have two IP address ranges and two zones on the trust-vr:

    Zone: Trust
    ethernet0/0 = 192.168.1.1/24 (NAT)

    Zone: Production
    ethernet0/9 = 10.50.0.1/24 (NAT)

    Zone: Untrust
    ethernet0/2 = ISP-provided-IP

    Both zones appear identical in their configuration. For testing I’ve opened up all Policies to allow unfiltered net traffic.

    Relevant route:

    0.0.0.0/0 (gateway: ISP-provided-gateway) Interface: ethernet0/2

    HOST1 is in Trust zone. IP is 192.168.1.2, default gateway 192.168.1.1
    HOST2 is in Production zone. IP is 10.50.0.2, default gateway 10.50.0.1

    HOST1 can ping ISP-provided-gateway and, for example, 8.8.8.8
    HOST2 cannot ping either of those IPs

    Now, if I change ethernet0/9 from Production to Trust zone, pings work.

    What the heck am I missing?



  • Of course I figure it out within 30 seconds of posting – I had to add the egress option to the policy. Thanks me!  😄


 

38
Online

38.4k
Users

12.7k
Topics

44.5k
Posts