How to source-NAT on Netscreen with interface in Route mode

I have inherited a Netscreen25 firewall that protects some servers and is set up as follows:

1) The Untrust and DMZ zones have been set up in Route mode
2) The Trust zone is in NAT mode
3) The servers in the DMZ have 192.168.x.x addresses.
4) MIPs have been set up to map externally accesssible IP addresses (I'll use 1.1.1.x for the purposes of this question) to the various servers with the 192.168.x.x addresses.

However, we have run out of external IP's and we have some servers in the DMZ network that simply need internet access but don't need to be accessed from anything on the internet. (I realize they are probably candidates for the Trust zone, but I cannot move them there right now without creating a number of other problems.)

The basic goal is to allow additional systems in the DMZ to get to the internet without a MIP for each one.

My idea is to set up source-NAT with PAT using a single IP in a DIP.

My questions are:
1) Can I set up source-NAT with PAT using policies if the Untrust and DMZ interfaces are in Route mode?
2) If I switch from Route to NAT mode, will that disrupt the MIPs in place that connect the internal with external IPs?
3) Is there some easier way to allow these other 192.168.x.x systems that have no MIPs to get to the internet?

One other caveat is that the firewall and servers are in production, so ideally the changes would need to be minimally disruptive. (i.e. Telling me to tear down the MIPs and reset the zone to NAT is not going to be the favored solution.)

Thanks


shofarsleeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
Any changes you need to make would have to go through some change in the firewall.

Omitting option 1 and 3, have you tried out number 2 ? Setting the nat mode ?

1. If you get a 15 minute window for doing this, you can put this in nat mode and then from one of the machines configured for MIP, access whatismyip.com and see if the ip you see if the MIP or Untrust IP. That should answer it. I think it'd work.

Cheers,
Rajesh
0
rsivanandanCommented:
Or another option would be to setup one more MIP on another machine and install proxy server software on it. Have the other machines access internet through that.

Cheers,
Rajesh
0
shofarsleeAuthor Commented:
I'm concerned about affecting production servers by switching from ROUTE to NAT. Does a change like this happen immediately, or does it require the Netscreen to reboot?
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

rsivanandanCommented:
It can happen immediately, no reboot required. All that is needed is;

set int <interface> route

Thats it.

Cheers,
Rajesh
0
rsivanandanCommented:
Oops, I meant;

set int <interface> nat

Cheers,
Rajesh
0
shofarsleeAuthor Commented:
I may try to schedule some off-hours downtime for this in the future.

However, it would good to know if the alternate method would work: keep the interface in ROUTE mode, but try to set up source NAT + PAT via policies.

Any sense if whether this would in any way be more or less potentially disruptive to try than switching over to NAT mode? (With the switching of the entire interface to NAT mode, if all the server IPs get source NAT'ed, it would definitely disrupt service.)

Thanks
0
rsivanandanCommented:
You can definitely do source-nat and have *only* those machines go out to internet that way. There is no issue with it.

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shofarsleeAuthor Commented:
I will schedule creating a source NAT with PAT policy early next week and let you know how it goes.

Thanks
0
shofarsleeAuthor Commented:
If it helps other people in the future, here is exactly what I did:
1) On the Untrust interface, clicked on DIP and set a single IP address in the same subnet as my Untrust interface.
2) I also checked PAT
3) Applied those settings
4) In Policies, set up a policy from DMZ to Untrust
5) Went to the Advanced Tab and selected Source NAT
6) Choose to use the DIP set up in steps 1-2. (I could have also chosen to use the IP of the Untrust Egress interface - but chose not to in order to keep it more "hidden".)

Many thanks for the guidance on this question. My systems in the DMZ without MIPs are now able to access the internet.

Thanks
0
rsivanandanCommented:
So it worked as you intended. Glad to be of help.

Cheers,
Rajesh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.