Netscreen 25: using multiple untrusted interfaces

I am trying to setup a Netscreen-25 with the following configuration:

Interface1: Trust (192.168.x.0/24) Interface2: DMZ (10.10.10.0/24) Interface3: Untrust (x.x.x.y/27) Interface4: Untrust2 (x.x.x.x/27)

For the purposes of explaining what I want to achieve, I have essentially set up the following policies:

Trust->Untrust (allow approved protocols)
Untrust->Trust (allow protocols via MIP/VIP)
Untrust2->Trust (allow protocols via MIP/VIP)
Untrust->DMZ (allow protocols via MIP/VIP)
Untrust2->DMZ (allow protocols via MIP/VIP)
Trust->DMZ (allow approved protocols)

I have setup default gateways for both of the Untrusted interfaces.

I can get policies 1 and 2 to work. I cannot get policy 3 to work. Because I cannot get policy 3 to work I have not tested policy 4,5 and

6 yet.

I was wondering if what I am trying to do is impossible with an NS-25? I can't get traffic to forward from the Untrust2 interface to a node in the trusted LAN.

regards,

Gerard Dillon

Ok, when you say

What do you mean *exactly*?

A policy for a MIP or a VIP must have that vip/mip as it's destination address, not the local address of the destination object. But, in case of policy 3, you must define the MIP/VIP on eth3, not eth2 like you will need to for policy 4 and 6.

You'll probably find that policy 6 is redundant because of policy 4, depending which firmware rev you're running, but it might not be.

That all said, VIPs or MIPs in the DMZ or other zones are perfectly allowable.

How about you post the line defining eth3, the line defining the MIP/VIP you're using for policy 3, and policy 3 for us, as well as the lines defining any address objects used in policy 3 or any custom service(s) used in policy 3.. Just change one or two of the octets in the public addresses for security purposes. That will make a good starting point for us to look at.

-Russ.