SSG5: No Inbound Trust Internet Access
Currently, I have an SSG5 with the latest firmware that has a very simple setup (I have left it simple until I can get the basics working), but I cannot seem to get Untrust-->Trust traffic working.
Setup
SSG5: has been through the GUI setup wizard and has the three basic zones, Untrust (port 0/0), DMZ (0/1) and Trust (0/2-0/6). Untrust is a /29 (xx.xx.xx.130/29, which we will call untrust.130) with the SSG5's web GUI on the first usable IP. DMZ is 10.0.0.1 and connected to nothing, while Trust is on a /27 (xx.xx.xx.128/27 which we will call trust.128) with the zone set to .130 w/the manageable IP on .144 (there are other serers on this /27 and .50 is the first free one other than .130). A patch cable runs from 0/0 to the primary switch in the rack, which has an uplink out of the data center.
Server: There is a server plugged into 0/4 (which would be trust) running Linux that is assigned xx.xx.xx.150 in the Trust /27. IPTables is disabled, and there is a Lantronix KVM plugged into the server so I make any network changes while troubleshooting. Before plugging it into the firewall, I could ping it, SSH to it, and so on. In all descriptions, this is what I am always trying to reach or traffic OUT of.
Policies
Global: ANY/ANY/PING, ANY/ANY/TRACEROUTE, and an ANY/ANY/IPGROUP with IPGROUP being an address group with company static IPs such as offices, and so on.
Trust --> Untrust: ANY/ANY/ANY -- Source Translation (Use Egress Interface IP) ** See Note below
Untrust --> Trust: ANY/ANY/ANY
Problems
Cannot ping in or out (using google.com or 8.8.8.8) and cannot SSH in or out. I *can* ping untrust.130. So although I can access untrust fine from the outside (I can hit the SSG GUI, ping the SSG GUI IP, ping google.com from the SSG5,etc), and I cannot access trust from the outside, or access the outside from trust.
Note: Now, if I go to the untrust interface and change it from route (both interfaces were set to route) to NAT *or* change the Trust --> Untrust policy to Source Translation (Use Egress Interface IP), then I can ping google.com, and ping 8.8.8.8. But I still cannot reach trust from the outside.
Setup
SSG5: has been through the GUI setup wizard and has the three basic zones, Untrust (port 0/0), DMZ (0/1) and Trust (0/2-0/6). Untrust is a /29 (xx.xx.xx.130/29, which we will call untrust.130) with the SSG5's web GUI on the first usable IP. DMZ is 10.0.0.1 and connected to nothing, while Trust is on a /27 (xx.xx.xx.128/27 which we will call trust.128) with the zone set to .130 w/the manageable IP on .144 (there are other serers on this /27 and .50 is the first free one other than .130). A patch cable runs from 0/0 to the primary switch in the rack, which has an uplink out of the data center.
Server: There is a server plugged into 0/4 (which would be trust) running Linux that is assigned xx.xx.xx.150 in the Trust /27. IPTables is disabled, and there is a Lantronix KVM plugged into the server so I make any network changes while troubleshooting. Before plugging it into the firewall, I could ping it, SSH to it, and so on. In all descriptions, this is what I am always trying to reach or traffic OUT of.
Policies
Global: ANY/ANY/PING, ANY/ANY/TRACEROUTE, and an ANY/ANY/IPGROUP with IPGROUP being an address group with company static IPs such as offices, and so on.
Trust --> Untrust: ANY/ANY/ANY -- Source Translation (Use Egress Interface IP) ** See Note below
Untrust --> Trust: ANY/ANY/ANY
Problems
Cannot ping in or out (using google.com or 8.8.8.8) and cannot SSH in or out. I *can* ping untrust.130. So although I can access untrust fine from the outside (I can hit the SSG GUI, ping the SSG GUI IP, ping google.com from the SSG5,etc), and I cannot access trust from the outside, or access the outside from trust.
Note: Now, if I go to the untrust interface and change it from route (both interfaces were set to route) to NAT *or* change the Trust --> Untrust policy to Source Translation (Use Egress Interface IP), then I can ping google.com, and ping 8.8.8.8. But I still cannot reach trust from the outside.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Premium Content
You need an Expert Office subscription to comment.Start Today