mjpb
asked on
MIP on a netscreen for accessing dmz server from untrust or from trust
I have a mip defined on the untrust interface of ssg5.
this mip (say 5.5.5.5) permits internet users to reach the private ip that the MIP maps to in the dmz (say 172.16.5.5).
How can I get devices in the trust zone (say 10.2.2.2) to reach the same dmz server via the MIP address (5.5.5.5).
Thank you
this mip (say 5.5.5.5) permits internet users to reach the private ip that the MIP maps to in the dmz (say 172.16.5.5).
How can I get devices in the trust zone (say 10.2.2.2) to reach the same dmz server via the MIP address (5.5.5.5).
Thank you
Nothing is required if you want equipment in the trust zone to reach the MIP 5.5.5.5. As long as the MIP is working, then there will no problem.
If you want to get to the DMZ from the LAN and do not need to use the MIP, follow the above suggestion and create the trust - DMZ allow policy.
As far as the internal network going to the internet, then coming back to the DMZ, this happens in cases where you have a domain name pointing to the MIP and want users to use the web address to access the server (assuming it is a web server or email server as an example) your performance hit will be minimal if you compare going to the outside or directly to the DMZ
If you want to get to the DMZ from the LAN and do not need to use the MIP, follow the above suggestion and create the trust - DMZ allow policy.
As far as the internal network going to the internet, then coming back to the DMZ, this happens in cases where you have a domain name pointing to the MIP and want users to use the web address to access the server (assuming it is a web server or email server as an example) your performance hit will be minimal if you compare going to the outside or directly to the DMZ
ASKER
The reason the trusted devices need to hit the MIP address (defined on the untrust) is that the client uses a dns server on the internet and the name resolution gives them the public IP for the dmz server ( ie 5.5.5.5 which translates to the real dmz IP).
Currently I have the MIP defined on the untrust which works for traffic from the internet to the MIP to the real dmz address.
For inside to dmz I configured destination nat and nat the destination (which would be the 5.5.5.5) address to the real IP. I heard that there is a way to have the trusted source IPs hit the MIP address and do a "hairpin" back to the real dmz IP but I haven't been able to find an example.
I was hoping this could be done because the destination nat from trust to dmz gets quite cumbersome as there are close to 300 servers on the dmz and a rule must be created for each one with dnat. I was hoping to use the MIP method so I could group the destination dmz MIPs into one rule say for http, etc.
Currently I have the MIP defined on the untrust which works for traffic from the internet to the MIP to the real dmz address.
For inside to dmz I configured destination nat and nat the destination (which would be the 5.5.5.5) address to the real IP. I heard that there is a way to have the trusted source IPs hit the MIP address and do a "hairpin" back to the real dmz IP but I haven't been able to find an example.
I was hoping this could be done because the destination nat from trust to dmz gets quite cumbersome as there are close to 300 servers on the dmz and a rule must be created for each one with dnat. I was hoping to use the MIP method so I could group the destination dmz MIPs into one rule say for http, etc.
There is no special config to make this happen. Devices on the trusted side will hit the MIP (using the DNS name) as if they were at another physical location. Configuring internal NAT from trust to DMZ is not required at all.
I use this setup for my exchange server. All outlook clients whether inside the LAN use the Domain name that points to the MIP, and all remote users also use the same Domain name to get to the exchange server MIP
I use this setup for my exchange server. All outlook clients whether inside the LAN use the Domain name that points to the MIP, and all remote users also use the same Domain name to get to the exchange server MIP
ASKER
hmm... I've tested from trust to the MIP address 5.5.5.5 (for the dmz server). I have the first rule from trust to dmz to permit any any on any port.
I then tested from a trusted source (on the inside-trust interface) to the 5.5.5.5 address but it does not get through. I see in a debug the following:
route 10.2.1.1 -> 10.2.1.1, to ethernet0/0 (note 0/0 is the trust interface and 10.2.1.1 is the source device trying to reach the dmz server)
Next line in the debug is:
arp lookup failed for 10.2.1.1 (again, this is the source IP in the trust zone).
I have a router separating the trusted interface from the inside devices and another separating the dmz interface from the dmz devices.
Not sure where to go from here....
I then tested from a trusted source (on the inside-trust interface) to the 5.5.5.5 address but it does not get through. I see in a debug the following:
route 10.2.1.1 -> 10.2.1.1, to ethernet0/0 (note 0/0 is the trust interface and 10.2.1.1 is the source device trying to reach the dmz server)
Next line in the debug is:
arp lookup failed for 10.2.1.1 (again, this is the source IP in the trust zone).
I have a router separating the trusted interface from the inside devices and another separating the dmz interface from the dmz devices.
Not sure where to go from here....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you should post your sanitized config if you get a chance, i can then take a look for errors.
ASKER
I think I found the problem. I had put a route in for the public 5.5.5.x dmz IPs to route to the dmz (this was for the dnat from trust to 5.5.5.x to the private IP of the dmz servers.
I removed that route and am now able to go from trust to untrust 5.5.5.x IP which the fw sees the MIP for and redirects to the dmz server.
Thank you for your help. Sometimes it takes another set of eyes to clear the view!
Regards.
I removed that route and am now able to go from trust to untrust 5.5.5.x IP which the fw sees the MIP for and redirects to the dmz server.
Thank you for your help. Sometimes it takes another set of eyes to clear the view!
Regards.
I am glad it worked out ... with netscreen devices in my 4 or so years experience, its usually the simplest of solutions to solve a problem that appears to have no answer. I'm happy you stuck with it, and if you run into anything else dont hesitate to post.
Just make a policy from Trust to DMZ (or whatever you have that zone named) with the appropriate source, destination, protocol and port.
Are you doing this via CLI (Console/SSH) or the WebUI?