I have inherited a Netscreen25 firewall that protects some servers and is set up as follows:
1) The Untrust and DMZ zones have been set up in Route mode
2) The Trust zone is in NAT mode
3) The servers in the DMZ have 192.168.x.x addresses.
4) MIPs have been set up to map externally accesssible IP addresses (I'll use 1.1.1.x for the purposes of this question) to the various servers with the 192.168.x.x addresses.
However, we have run out of external IP's and we have some servers in the DMZ network that simply need internet access but don't need to be accessed from anything on the internet. (I realize they are probably candidates for the Trust zone, but I cannot move them there right now without creating a number of other problems.)
The basic goal is to allow additional systems in the DMZ to get to the internet without a MIP for each one.
My idea is to set up source-NAT with PAT using a single IP in a DIP.
My questions are:
1) Can I set up source-NAT with PAT using policies if the Untrust and DMZ interfaces are in Route mode?
2) If I switch from Route to NAT mode, will that disrupt the MIPs in place that connect the internal with external IPs?
3) Is there some easier way to allow these other 192.168.x.x systems that have no MIPs to get to the internet?
One other caveat is that the firewall and servers are in production, so ideally the changes would need to be minimally disruptive. (i.e. Telling me to tear down the MIPs and reset the zone to NAT is not going to be the favored solution.)