1. Home
  2. Networking Firewalls
  3. Netscreen 5GT Extended DMZ setup

Netscreen 5GT Extended DMZ setup

Running a Netscreen 5GT Extended mode and want to configure the DMZ. I have a FTP server in the DMZ and it can be accessed from the untrust to the dmz zone no problem after putting a policy and a VIP in place. My problem is I can't get from the DMZ to the Internet. I tried putting a policy in place for DMZ to Untrust allowing anything (for testing) and no go. In the log on the anything policy, I noticed that the source address and translated address are the same and bytes are being sent but not received...so I'm assuming NAT isn't working on the DMZ addresses. Is this a correct assumption? I don't have alot of netscreen knowledge so I can't figure out how or where to resolve this. Any help would be appreciated.

Reply to
The other Mike
Loading thread data ...

Nat is enabled by interface OR by policy.

You likely have neither enabled on your DMZ interface and policy.

In the "dmz -> untrust dmz_subnet to any all permit" policy, click on "advanced" and then put a check beside "NAT" and hit ok/ok.

The checkmark circle in the policy list should change from green (permit) to blue (NAT) and you should be fine.

I don't recommend NAT by interface, *ever*. It's implemented less efficiently in the box and prevents you from putting non-NATd traffic through the interface. NAT should be enabled policy by policy as appropriate.

-Russ.

Reply to
Somebody.

Reply to
The other Mike

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.