Netscreen 5GT Dual-Untrust

[AdyEp]

Hi,

I have a Netscreen 5GT installed in a data centre to protect a number of web servers.

I'd like to know if it's possible to configure the 5GT in dual untrust mode to pass requests from two seporate subnets to the same trusted IP.

E.g.

Untrust 1 Interface MIP : 123.123.123.5
Untrust 2 Interface MIP : 100.100.100.240

Both map to Trusted IP : 192.168.1.100

Many Thanks,
Ady

 

[shrubble]

If I'm understanding you correctly, that's no prob at all. Basically you would go into:

Network -> Interfaces

Click "new" at the top, select Sub-if from the dropdown. Put in what you require, it's fairly intuitive.

As far as having them hit the same trusted subnet you would just have two sets of rules (although there may be another way to do it). So if you called your second interface "untrust2" for example, you would have:

Trust <-> Untrust
Trust <-> Untrust2

From that perspective, it's just like having only one untrusted interface.

"I would rather have a free bottle in front of me, than a pre-frontal lobotomy..."

-Shrubble

 

[AdyEp]

Hi shrubble,

Thanks for your reply.

I have a 5GT, which I don't think supports subinterfaces. The only options I have for new interfaces are:

Loopback IF
Tunnel IF
VSI IF

Therfore I was looking at the dual untrust to see if this mode would be able to support what I require.

Thanks,
Ady

 

[shrubble]

Actually, I looked on a 5GT. I think the features on the firewall depend on what your key unlocks, we've got about 50 or 60 5GT's out in the field, and they come with that ability.

Maybe you could buy a cheap router or something to NAT one untrusted subnet into the other?

"I would rather have a free bottle in front of me, than a pre-frontal lobotomy..."

-Shrubble