shofarslee
asked on
How to source-NAT on Netscreen with interface in Route mode
I have inherited a Netscreen25 firewall that protects some servers and is set up as follows:
1) The Untrust and DMZ zones have been set up in Route mode
2) The Trust zone is in NAT mode
3) The servers in the DMZ have 192.168.x.x addresses.
4) MIPs have been set up to map externally accesssible IP addresses (I'll use 1.1.1.x for the purposes of this question) to the various servers with the 192.168.x.x addresses.
However, we have run out of external IP's and we have some servers in the DMZ network that simply need internet access but don't need to be accessed from anything on the internet. (I realize they are probably candidates for the Trust zone, but I cannot move them there right now without creating a number of other problems.)
The basic goal is to allow additional systems in the DMZ to get to the internet without a MIP for each one.
My idea is to set up source-NAT with PAT using a single IP in a DIP.
My questions are:
1) Can I set up source-NAT with PAT using policies if the Untrust and DMZ interfaces are in Route mode?
2) If I switch from Route to NAT mode, will that disrupt the MIPs in place that connect the internal with external IPs?
3) Is there some easier way to allow these other 192.168.x.x systems that have no MIPs to get to the internet?
One other caveat is that the firewall and servers are in production, so ideally the changes would need to be minimally disruptive. (i.e. Telling me to tear down the MIPs and reset the zone to NAT is not going to be the favored solution.)
Thanks
1) The Untrust and DMZ zones have been set up in Route mode
2) The Trust zone is in NAT mode
3) The servers in the DMZ have 192.168.x.x addresses.
4) MIPs have been set up to map externally accesssible IP addresses (I'll use 1.1.1.x for the purposes of this question) to the various servers with the 192.168.x.x addresses.
However, we have run out of external IP's and we have some servers in the DMZ network that simply need internet access but don't need to be accessed from anything on the internet. (I realize they are probably candidates for the Trust zone, but I cannot move them there right now without creating a number of other problems.)
The basic goal is to allow additional systems in the DMZ to get to the internet without a MIP for each one.
My idea is to set up source-NAT with PAT using a single IP in a DIP.
My questions are:
1) Can I set up source-NAT with PAT using policies if the Untrust and DMZ interfaces are in Route mode?
2) If I switch from Route to NAT mode, will that disrupt the MIPs in place that connect the internal with external IPs?
3) Is there some easier way to allow these other 192.168.x.x systems that have no MIPs to get to the internet?
One other caveat is that the firewall and servers are in production, so ideally the changes would need to be minimally disruptive. (i.e. Telling me to tear down the MIPs and reset the zone to NAT is not going to be the favored solution.)
Thanks
Or another option would be to setup one more MIP on another machine and install proxy server software on it. Have the other machines access internet through that.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I'm concerned about affecting production servers by switching from ROUTE to NAT. Does a change like this happen immediately, or does it require the Netscreen to reboot?
It can happen immediately, no reboot required. All that is needed is;
set int <interface> route
Thats it.
Cheers,
Rajesh
set int <interface> route
Thats it.
Cheers,
Rajesh
Oops, I meant;
set int <interface> nat
Cheers,
Rajesh
set int <interface> nat
Cheers,
Rajesh
ASKER
I may try to schedule some off-hours downtime for this in the future.
However, it would good to know if the alternate method would work: keep the interface in ROUTE mode, but try to set up source NAT + PAT via policies.
Any sense if whether this would in any way be more or less potentially disruptive to try than switching over to NAT mode? (With the switching of the entire interface to NAT mode, if all the server IPs get source NAT'ed, it would definitely disrupt service.)
Thanks
However, it would good to know if the alternate method would work: keep the interface in ROUTE mode, but try to set up source NAT + PAT via policies.
Any sense if whether this would in any way be more or less potentially disruptive to try than switching over to NAT mode? (With the switching of the entire interface to NAT mode, if all the server IPs get source NAT'ed, it would definitely disrupt service.)
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will schedule creating a source NAT with PAT policy early next week and let you know how it goes.
Thanks
Thanks
ASKER
If it helps other people in the future, here is exactly what I did:
1) On the Untrust interface, clicked on DIP and set a single IP address in the same subnet as my Untrust interface.
2) I also checked PAT
3) Applied those settings
4) In Policies, set up a policy from DMZ to Untrust
5) Went to the Advanced Tab and selected Source NAT
6) Choose to use the DIP set up in steps 1-2. (I could have also chosen to use the IP of the Untrust Egress interface - but chose not to in order to keep it more "hidden".)
Many thanks for the guidance on this question. My systems in the DMZ without MIPs are now able to access the internet.
Thanks
1) On the Untrust interface, clicked on DIP and set a single IP address in the same subnet as my Untrust interface.
2) I also checked PAT
3) Applied those settings
4) In Policies, set up a policy from DMZ to Untrust
5) Went to the Advanced Tab and selected Source NAT
6) Choose to use the DIP set up in steps 1-2. (I could have also chosen to use the IP of the Untrust Egress interface - but chose not to in order to keep it more "hidden".)
Many thanks for the guidance on this question. My systems in the DMZ without MIPs are now able to access the internet.
Thanks
So it worked as you intended. Glad to be of help.
Cheers,
Rajesh
Cheers,
Rajesh
Omitting option 1 and 3, have you tried out number 2 ? Setting the nat mode ?
1. If you get a 15 minute window for doing this, you can put this in nat mode and then from one of the machines configured for MIP, access whatismyip.com and see if the ip you see if the MIP or Untrust IP. That should answer it. I think it'd work.
Cheers,
Rajesh