SSG140 - Inet is accessable from eth0/0, but not eth0/7 etc..

  • Hello there,

    It’s the first time I’ve laid my hand on a NetScreen/SreenOS-device. It’s been many bumps along the road, and alot of new stuff has been learnt from the last few days.

    However, I’ve come to a part where I feel I have no choice what-so-ever, then to ask for help here.

    Note that all of the IP’s have been randomized, but has the same netmasks etc.

    I’ve got 5 interfaces active;

    eth0/0 (trust) -
    eth0/2 (untrust) - (yeah, i know it’s a large netmask, but according to the ISP it’s the only one that works)
    eth0/7 (srv #1) -
    eth0/8 (srv #2) -
    eth0/9 (srv #3) -

    The routing-table looks as follows;

    The policy-list is as follows;

    That was the information. Now to the problem;

    All the servers on eth0/7 to eth0/9 cannot access the internet on the untrust interface. eth0/7 to eth0/9 can ping the IP of eth0/2 (untrust), but thats it. eth0/0 (trust) have full access to the Internet through eth0/2.

    It’s worth mentioning that eth0/7 to eth0/9 is setup with different VIP’s and MIP’s.

    eth0/7 - 5 VIP’services, bound to the untrust interface = using same IP as eth0/2
    eth0/8 - 4 MIP’s, external IP’s bound to a static internal IP
    eth0/9 - 1 MIP, external IP bound to a static internal IP

    All of the above MIP’s and VIP’s responds fine from the outside (pinging the external IP’s, port-forwarding via VIP’s, etc).

    Since eth0/0 (wich has internett access) doesn’t have any VIP/MIP, could it be that it’s those services that is causing eth0/7 to eth0/9 to be unable to access the Internet from the inside?

  • Global Moderator

    In gui select policy, edit, select advanced, check nat src.

    A good starting point would be

  • @screenie.:

    Try selecting NAT src hide behing interface on every policy to untrust!

    What do you mean by that? As said; I’m brand new when it comes to ScreenOS/SSG140.

  • Global Moderator

    Try selecting NAT src hide behing interface on every policy to untrust! From trust natting is done by interface setting, from every other zone, you’ll have to configure it in the policy.