You'll have to change the port mode mode top Extended. This will wipe out the config that is currently on it. But once that is done, you can do anything you want. However, you cannot specify what interfaces are in what zone, on the 5GT it is a preconfigured setup that can't be modified beyond the port mode.
Your diagram is a bit fubar, but is technically possible. You can put it in route mode, but the way you have it with an ADSL router might be painful. Is there a reason for having the Untrust zone using a
Firstly backup the current config in case you need to go back to it.
Then, in the GUI, go to port mode and change it to extended port mode - the gui will show, depending on the ScreenOS version, the new ports as colour coded and the trusted 4 port switch will be split to a trusted and dmz. Also your current config will be reset so you'll have to readd it.
With the DMZ ports in their native route mode, you'll need to add a static route on the ADSL router such that 84.12.x.0/29 next hop is
10.0.0.2
Alternatively edit the properties of the untrust interface (under network interfaces) and create a mapped ip on the 10.0.0.? network for each of the 84.12.x.? servers. But adding the static route to the adsl router is better.
You'd then need to create policies to allow traffic from the untrusted to the dmz.
The second 192.168... router on the DMZ may not be needed as you can potentially pass traffic across through the netscreen.
mode which works by putting the same ip address on both adsl and ethernet sides. But you'd need another 62.x.x.x address to give to the untrust interface of the firewall which you don't have. So your
10.0.0.? does make sense > The reason I've got the 10.0.0.1 and 10.0.0.2 is the link between the NS5GT
|
The reason I've got the 10.0.0.1 and 10.0.0.2 is the link between the NS5GT and my ZOOM X5 ADSL modem/router. I've got a static IP on the dial up interface of the Zoom X5 which is different to my 8 Public IP addresses.
I assume that I can only use ip addresses from the 8 public IP's in the DMZ as it tells me to bogg off when I try and put one of those ip's on the untrust interface.
If you could be so kind as to suggest a better way of doing it I'm all ears. I'd really appreciate a bit of help on this as I've been banging my head on this for 3 days now. :(
I take it that my untrust-vr has to have a default root 0.0.0.0/0 gw
10.0.0.1
What other routes should the untrust-vr have?
In fact what routes should I have for the trust and untrust virtual routers?
I did manage to get a conenction to the internet by by trusted network, but not the dmz last night, but i've had to put my network back to it's original settings to allow my users internet access today. I added a policy via the wizard for the trust-untrust zones.
Do I have to configure policies for each direction? eg TRUST-DMZ, DMZ-Trust, Trust-Untrust, Untrust-Trust, DMZ-Untrust & Untrust to DMZ ?
I have WEb servers in the DMZ and I also need port 25 access to a server in the trusted zone from the internet. Unless you know of a SMTP proxy software that I could place on a server in the DMZ.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.