Hi All,
First of for your kind Info- I am newbie in Netscreen Configuration. First of all let me explain the situations in a simple method.
1. I have two servers with a Heartbeat IP- 10.1.1.250 (10.1.1.0/24) in DMZ Zone (DMZ INt. IP 10.1.1.254/32)
2. I got 5 usable static IPs - xxx.xxx.231.98-xxx.xxx.231.102
3. They alotted me a single static IP 62.xxx.xx.10 which my UNTRUST INTERFACE gets from the ISP in DHCP mode. the 5 usable IPs are available on the UNTRUST INTERFACE only if i fetch the single IP xxx.xxx.127.10 setting the UNTRUST Interface to DHCP. this way my Untrust Interface gets the IP : 62.xxx.xxx.10
4. My goal is to translate one of the 5 IPs namely 212.xxx.xxx.98 to translate to 10.1.1.250, and 10.1.1.250 to 212.xxx.xxx.98
My Tries:
1. I had to go for MIP as i have Screen os 5.x which doesnt allow to have a DIP which is not in the same subnet as the INTERFACE IP. Hints: Interface IP is 62.xxx.xxx.10 and the IP to be NATed is 212.xxx.xxx.98
2. So with MIP it went fine with Mapped IP- 212.xxx.xxx.98, HOST IP- 10.1.1.250, POLICY- UNTRUST TO DMZ "ANY" to "MIP(212.xxx.xxx.98)".
3. This made the server available from the outside to reach with the static IP 212.xxx.xxx.98.
THE PROBLEM:
1. Now i would have to create a policy from DMZ to UNTRUST which would make the server expose to internet with the same MIP IP namely 212.xxx.xxx.98. So declared the policy:
From DMZ to UNTRUST "MIP(212.xxx.xxx.98)" to "ANY" "ANY" permit log.
with this policy i am not being able to connect to the internet :-( (But i still can reach the server from outside as the UNTRUST to DMZ policy is working fine)
But if i go to ADVANCED and tick SOURCE TRANSLATION with "TO Egress IP" it goes online, but then by sending packets it takes the IP of the Untrust Interface which is 62.xxx.xxx.10 , which is noway my intent.
It should communicate to the outside world with 212.xxx.xxx.98 this address.
Do i need to give any Route or what should i do?
Please help me out, i will be ever greatful. Thanks in Advance guys for all your upcoming Helps!
Regards
First of for your kind Info- I am newbie in Netscreen Configuration. First of all let me explain the situations in a simple method.
1. I have two servers with a Heartbeat IP- 10.1.1.250 (10.1.1.0/24) in DMZ Zone (DMZ INt. IP 10.1.1.254/32)
2. I got 5 usable static IPs - xxx.xxx.231.98-xxx.xxx.231.102
3. They alotted me a single static IP 62.xxx.xx.10 which my UNTRUST INTERFACE gets from the ISP in DHCP mode. the 5 usable IPs are available on the UNTRUST INTERFACE only if i fetch the single IP xxx.xxx.127.10 setting the UNTRUST Interface to DHCP. this way my Untrust Interface gets the IP : 62.xxx.xxx.10
4. My goal is to translate one of the 5 IPs namely 212.xxx.xxx.98 to translate to 10.1.1.250, and 10.1.1.250 to 212.xxx.xxx.98
My Tries:
1. I had to go for MIP as i have Screen os 5.x which doesnt allow to have a DIP which is not in the same subnet as the INTERFACE IP. Hints: Interface IP is 62.xxx.xxx.10 and the IP to be NATed is 212.xxx.xxx.98
2. So with MIP it went fine with Mapped IP- 212.xxx.xxx.98, HOST IP- 10.1.1.250, POLICY- UNTRUST TO DMZ "ANY" to "MIP(212.xxx.xxx.98)".
3. This made the server available from the outside to reach with the static IP 212.xxx.xxx.98.
THE PROBLEM:
1. Now i would have to create a policy from DMZ to UNTRUST which would make the server expose to internet with the same MIP IP namely 212.xxx.xxx.98. So declared the policy:
From DMZ to UNTRUST "MIP(212.xxx.xxx.98)" to "ANY" "ANY" permit log.
with this policy i am not being able to connect to the internet :-( (But i still can reach the server from outside as the UNTRUST to DMZ policy is working fine)
But if i go to ADVANCED and tick SOURCE TRANSLATION with "TO Egress IP" it goes online, but then by sending packets it takes the IP of the Untrust Interface which is 62.xxx.xxx.10 , which is noway my intent.
It should communicate to the outside world with 212.xxx.xxx.98 this address.
Do i need to give any Route or what should i do?
Please help me out, i will be ever greatful. Thanks in Advance guys for all your upcoming Helps!
Regards
