• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1277
  • Last Modified:

Interface NAT mode on a SSG / ScreenOS 6.X


I don't usually use interface NAT mode so I need to clarify a question.  I don't have access to a SSG right now so I hoping some can help me out.

Scenario: I have a SSG device with the three zones defined (Untrust, Trust, and DMZ) and the DMZ interface (ethernet 0/3) is in NAT mode.

From reading the documentation it appears when traffic is initiated from the Trust zone and traverses the SSG and headed out either the Untrust or DMZ zone interfaces the source-IP will be src-NAT'd to the egress interface.

What is not clear is suppose you have a host in the DMZ that initiates traffic to a host in the Trust zone.  Assuming they are no policy based NAT statements, will the traffic be NAT'd?  The documentation in my opinion just isn't clear on this circumstance.

Thanks....
0
norgetek
Asked:
norgetek
  • 2
1 Solution
 
deimarkCommented:
Interface nat occurs in the following circumstances

From trust to untrust
From DMZ to untrust

All other traffic will NOT be natted unless specifically defined in a policy

So for traffic from DMZ to trust, interface NAT does NOT occur

HTH
0
 
norgetekAuthor Commented:
Typed to fast when I made the post:

This is the scenario I meant to describe:

I have a SSG device with the three zones defined (Untrust, Trust, and DMZ) and the Trust interface (ethernet 0/2) is in NAT mode.
0
 
deimarkCommented:
Then the above still applies

Interface nat occurs in the following circumstances

From trust to untrust
From DMZ to untrust

If you want to nat any other kind of traffic, then policy nat must be used.

As a side note, when I install screenos devices for customers I always turn off interface nat and use policy nat to control the natting done,  As well as making sure the exact type of nat is happening in the right place, we see a nice little blue tick in the policy screen to tell me nat is being done in that rule, but interface nat is there for those that want it
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now