[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4094
  • Last Modified:

How to source-NAT on Netscreen with interface in Route mode

I have inherited a Netscreen25 firewall that protects some servers and is set up as follows:

1) The Untrust and DMZ zones have been set up in Route mode
2) The Trust zone is in NAT mode
3) The servers in the DMZ have 192.168.x.x addresses.
4) MIPs have been set up to map externally accesssible IP addresses (I'll use 1.1.1.x for the purposes of this question) to the various servers with the 192.168.x.x addresses.

However, we have run out of external IP's and we have some servers in the DMZ network that simply need internet access but don't need to be accessed from anything on the internet. (I realize they are probably candidates for the Trust zone, but I cannot move them there right now without creating a number of other problems.)

The basic goal is to allow additional systems in the DMZ to get to the internet without a MIP for each one.

My idea is to set up source-NAT with PAT using a single IP in a DIP.

My questions are:
1) Can I set up source-NAT with PAT using policies if the Untrust and DMZ interfaces are in Route mode?
2) If I switch from Route to NAT mode, will that disrupt the MIPs in place that connect the internal with external IPs?
3) Is there some easier way to allow these other 192.168.x.x systems that have no MIPs to get to the internet?

One other caveat is that the firewall and servers are in production, so ideally the changes would need to be minimally disruptive. (i.e. Telling me to tear down the MIPs and reset the zone to NAT is not going to be the favored solution.)

Thanks


0
shofarslee
Asked:
shofarslee
  • 6
  • 4
1 Solution
 
rsivanandanCommented:
Any changes you need to make would have to go through some change in the firewall.

Omitting option 1 and 3, have you tried out number 2 ? Setting the nat mode ?

1. If you get a 15 minute window for doing this, you can put this in nat mode and then from one of the machines configured for MIP, access whatismyip.com and see if the ip you see if the MIP or Untrust IP. That should answer it. I think it'd work.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Or another option would be to setup one more MIP on another machine and install proxy server software on it. Have the other machines access internet through that.

Cheers,
Rajesh
0
 
shofarsleeAuthor Commented:
I'm concerned about affecting production servers by switching from ROUTE to NAT. Does a change like this happen immediately, or does it require the Netscreen to reboot?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
rsivanandanCommented:
It can happen immediately, no reboot required. All that is needed is;

set int <interface> route

Thats it.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Oops, I meant;

set int <interface> nat

Cheers,
Rajesh
0
 
shofarsleeAuthor Commented:
I may try to schedule some off-hours downtime for this in the future.

However, it would good to know if the alternate method would work: keep the interface in ROUTE mode, but try to set up source NAT + PAT via policies.

Any sense if whether this would in any way be more or less potentially disruptive to try than switching over to NAT mode? (With the switching of the entire interface to NAT mode, if all the server IPs get source NAT'ed, it would definitely disrupt service.)

Thanks
0
 
rsivanandanCommented:
You can definitely do source-nat and have *only* those machines go out to internet that way. There is no issue with it.

Cheers,
Rajesh
0
 
shofarsleeAuthor Commented:
I will schedule creating a source NAT with PAT policy early next week and let you know how it goes.

Thanks
0
 
shofarsleeAuthor Commented:
If it helps other people in the future, here is exactly what I did:
1) On the Untrust interface, clicked on DIP and set a single IP address in the same subnet as my Untrust interface.
2) I also checked PAT
3) Applied those settings
4) In Policies, set up a policy from DMZ to Untrust
5) Went to the Advanced Tab and selected Source NAT
6) Choose to use the DIP set up in steps 1-2. (I could have also chosen to use the IP of the Untrust Egress interface - but chose not to in order to keep it more "hidden".)

Many thanks for the guidance on this question. My systems in the DMZ without MIPs are now able to access the internet.

Thanks
0
 
rsivanandanCommented:
So it worked as you intended. Glad to be of help.

Cheers,
Rajesh
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now