Link to home
Start Free TrialLog in
Avatar of norgetek
norgetekFlag for United States of America

asked on

Interface NAT mode on a SSG / ScreenOS 6.X


I don't usually use interface NAT mode so I need to clarify a question.  I don't have access to a SSG right now so I hoping some can help me out.

Scenario: I have a SSG device with the three zones defined (Untrust, Trust, and DMZ) and the DMZ interface (ethernet 0/3) is in NAT mode.

From reading the documentation it appears when traffic is initiated from the Trust zone and traverses the SSG and headed out either the Untrust or DMZ zone interfaces the source-IP will be src-NAT'd to the egress interface.

What is not clear is suppose you have a host in the DMZ that initiates traffic to a host in the Trust zone.  Assuming they are no policy based NAT statements, will the traffic be NAT'd?  The documentation in my opinion just isn't clear on this circumstance.

Thanks....
Avatar of deimark
deimark
Flag of United Kingdom of Great Britain and Northern Ireland image

Interface nat occurs in the following circumstances

From trust to untrust
From DMZ to untrust

All other traffic will NOT be natted unless specifically defined in a policy

So for traffic from DMZ to trust, interface NAT does NOT occur

HTH
Avatar of norgetek

ASKER

Typed to fast when I made the post:

This is the scenario I meant to describe:

I have a SSG device with the three zones defined (Untrust, Trust, and DMZ) and the Trust interface (ethernet 0/2) is in NAT mode.
ASKER CERTIFIED SOLUTION
Avatar of deimark
deimark
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.