Avatar of hmsinfra
hmsinfra

asked on 

SSG5: No Inbound Trust Internet Access

Currently, I have an SSG5 with the latest firmware that has a very simple setup (I have left it simple until I can get the basics working), but I cannot seem to get Untrust-->Trust traffic working.

Setup
SSG5: has been through the GUI setup wizard and has the three basic zones, Untrust (port 0/0), DMZ (0/1) and Trust (0/2-0/6). Untrust is a /29 (xx.xx.xx.130/29, which we will call untrust.130) with the SSG5's web GUI on the first usable IP. DMZ is 10.0.0.1 and connected to nothing, while Trust is on a /27 (xx.xx.xx.128/27 which we will call trust.128) with the zone set to .130 w/the manageable IP on .144 (there are other serers on this /27 and .50 is the first free one other than .130).  A patch cable runs from 0/0 to the primary switch in the rack, which has an uplink out of the data center.
Server: There is a server plugged into 0/4 (which would be trust) running Linux that is assigned xx.xx.xx.150 in the Trust /27.  IPTables is disabled, and there is a Lantronix KVM plugged into the server so I make any network changes while troubleshooting.  Before plugging it into the firewall, I could ping it, SSH to it, and so on.  In all descriptions, this is what I am always trying to reach or traffic OUT of.

Policies
Global: ANY/ANY/PING, ANY/ANY/TRACEROUTE, and an ANY/ANY/IPGROUP with IPGROUP being an address group with company static IPs such as offices, and so on.
Trust --> Untrust: ANY/ANY/ANY -- Source Translation (Use Egress Interface IP) ** See Note below
Untrust --> Trust: ANY/ANY/ANY

Problems
Cannot ping in or out (using google.com or 8.8.8.8) and cannot SSH in or out.  I *can* ping untrust.130.  So although I can access untrust fine from the outside (I can hit the SSG GUI, ping the SSG GUI IP, ping google.com from the SSG5,etc), and I cannot access trust from the outside, or access the outside from trust.

Note: Now, if I go to the untrust interface and change it from route (both interfaces were set to route) to NAT *or* change the Trust  --> Untrust policy to  Source Translation (Use Egress Interface IP), then I can ping google.com, and ping 8.8.8.8.  But I still cannot reach trust from the outside.
Hardware Firewalls

Avatar of undefined
Last Comment
Qlemo

8/22/2022 - Mon