5GT-ADSL Trust/Untrust/DMZ setup



  • Hi guys,

    I have my 5GT-ADSL running nicely in trust/untrust mode with the ADSL port giving me WAN connectivity.

    I would like to setup a DMZ that will let visitors to the network connect up and get internet access without being able to “see” my network.

    I have tried creating a new zone (DMZ), placing the untrust interface into this zone and setting an IP/subnet of 192.168.10.1/24 on the interface. Plugging a test PC into the interface and giving it an ip/subnet of 192.168.10.2/24 and gateway of 192.168.10.1 I am unable to ping the netscreen on that interface (ping is enabled)

    I have setup a policy from DMZ -> Untrust for ANY -> ANY ALLOW to see if I can talk to anything but it does not seem to like it.

    I dont want to use the home/work mode on the netscreen as I need to use the existing ports in their trusted configuration and dont want to have to rebuild the netscreen to get it up and running.

    Any help/pointers would be appreciated.



  • Brilliant.

    I now have a Trust/Untrust/DMZ setup on the netscreen using 3 different zones.

    Thanks for your assistance its been really useful


  • Global Moderator

    Yeah, Interfacebase nar only works from trustzone to untrust zone in a single-vr config. Use policybased NAT (Nat behind interface) in advanced settingd instead. Nat src is the one corresponding to interfacebased nat.



  • OK… once i turned Failover off i was able to send traffic between zones quite happily.

    The Untrust interface is in NAT mode but when any traffic goes through the policies the translated source address does not change so traffic does not flow back into the network properly.

    Any idea what im missing?


  • Global Moderator

    I never tried that, but I would say yes. You need intrazone policies then, from untrust to untrust.



  • Am I going to be able to do it by having both the ADSL and the Untrusted interface in the same zone and then have the policies and routing in for that to work?


  • Global Moderator

    Sorry, it isn’t. That’s one of things much easier with an ssg5 or ssg20.



  • I think its standard license file and not the extended one.

    Is it possible to do what I want without changing the port mode?


  • Global Moderator

    What kind of license are you running? For DMA yuo need extended license,


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts