Link to home
Start Free TrialLog in
Avatar of mjpb
mjpb

asked on

MIP on a netscreen for accessing dmz server from untrust or from trust

I have a mip defined on the untrust interface of ssg5.
this mip (say 5.5.5.5) permits internet users to reach the private ip that the MIP maps to in the dmz (say 172.16.5.5).

How can I get devices in the trust zone (say 10.2.2.2) to reach the same dmz server via the MIP address (5.5.5.5).

Thank you
Avatar of simsjrg
simsjrg
Flag of United States of America image

Well you aren't going to want your internal network to go out to the internet then come back in to hit your DMZ.

Just make a policy from Trust to DMZ (or whatever you have that zone named) with the appropriate source, destination, protocol and port.

Are you doing this via CLI (Console/SSH) or the WebUI?
Avatar of Sanga Collins
Nothing is required if you want equipment in the trust zone to reach the MIP 5.5.5.5. As long as the MIP is working, then there will no problem.

If you want to get to the DMZ from the LAN and do not need to use the MIP, follow the above suggestion and create the trust - DMZ allow policy.

As far as the internal network going to the internet, then coming back to the DMZ, this happens in cases where you have a domain name pointing to the MIP and want users to use the web address to access the server (assuming it is a web server or email server as an example) your performance hit will be minimal if you compare going to the outside or directly to the DMZ
Avatar of mjpb
mjpb

ASKER

The reason the trusted devices need to hit the MIP address (defined on the untrust) is that the client uses a dns server on the internet and the name resolution gives them the public IP for the dmz server ( ie 5.5.5.5 which translates to the real dmz IP).

Currently I have the MIP defined on the untrust which works for traffic from the internet to the MIP to the real dmz address.  
For inside to dmz I configured destination nat and nat the destination (which would be the 5.5.5.5) address to the real IP.  I heard that there is a way to have the trusted source IPs hit the MIP address and do a "hairpin" back to the real dmz IP but I haven't been able to find an example.

I was hoping this could be done because the destination nat from trust to dmz gets quite cumbersome as there are close to 300 servers on the dmz and a rule must be created for each one with dnat. I was hoping to use the MIP method so I could group the destination dmz MIPs into one rule say for http, etc.
There is no special config to make this happen. Devices on the trusted side will hit the MIP (using the DNS name) as if they were at another physical location. Configuring internal NAT from trust to DMZ is not required at all.

I use this setup for my exchange server. All outlook clients whether inside the LAN use the Domain name that points to the MIP, and all remote users also use the same Domain name to get to the exchange server MIP
Avatar of mjpb

ASKER

hmm... I've tested from trust to the MIP address 5.5.5.5 (for the dmz server).  I have the first rule from trust to dmz to permit any any on any port.

I then tested from a trusted source (on the inside-trust interface) to the 5.5.5.5 address but it does not get through. I see in a debug the following:
route 10.2.1.1 -> 10.2.1.1, to ethernet0/0    (note 0/0 is the trust interface and 10.2.1.1 is the source device trying to reach the dmz server)
Next line in the debug is:
 arp lookup failed for 10.2.1.1 (again, this is the source IP in the trust zone).  
I have a router separating the trusted interface from the inside devices and another separating the dmz interface from the dmz devices.

Not sure where to go from here....


ASKER CERTIFIED SOLUTION
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
you should post your sanitized config if you get a chance, i can then take a look for errors.
Avatar of mjpb

ASKER

I think I found the problem.  I had put a route in for the public 5.5.5.x dmz IPs to route to the dmz (this was for the dnat from trust to 5.5.5.x to the private IP of the dmz servers.
I removed that route and am now able to go from trust to untrust 5.5.5.x  IP which the fw sees the MIP for and redirects to the dmz server.

Thank you for your help.  Sometimes it takes another set of eyes to clear the view!

Regards.
I am glad it worked out ... with netscreen devices in my 4 or so years experience, its usually the simplest of solutions to solve a problem that appears to have no answer. I'm happy you stuck with it, and if you run into anything else dont hesitate to post.