Interface NAT mode on a SSG / ScreenOS 6.X
Posted on 2011-02-10
I don't usually use interface NAT mode so I need to clarify a question. I don't have access to a SSG right now so I hoping some can help me out.
Scenario: I have a SSG device with the three zones defined (Untrust, Trust, and DMZ) and the DMZ interface (ethernet 0/3) is in NAT mode.
From reading the documentation it appears when traffic is initiated from the Trust zone and traverses the SSG and headed out either the Untrust or DMZ zone interfaces the source-IP will be src-NAT'd to the egress interface.
What is not clear is suppose you have a host in the DMZ that initiates traffic to a host in the Trust zone. Assuming they are no policy based NAT statements, will the traffic be NAT'd? The documentation in my opinion just isn't clear on this circumstance.