|
Posted by Somebody. on September 25, 2005, 8:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Running a Netscreen 5GT Extended mode and want to configure the DMZ.
> I have a FTP server in the DMZ and it can be accessed from the untrust
> to the dmz zone no problem after putting a policy and a VIP in place.
> My problem is I can't get from the DMZ to the Internet. I tried
> putting a policy in place for DMZ to Untrust allowing anything (for
> testing) and no go. In the log on the anything policy, I noticed that
> the source address and translated address are the same and bytes are
> being sent but not received...so I'm assuming NAT isn't working on the
> DMZ addresses. Is this a correct assumption? I don't have alot of
> netscreen knowledge so I can't figure out how or where to resolve
> this. Any help would be appreciated.
Nat is enabled by interface OR by policy.
You likely have neither enabled on your DMZ interface and policy.
In the "dmz -> untrust dmz_subnet to any all permit" policy, click on
"advanced" and then put a check beside "NAT" and hit ok/ok.
The checkmark circle in the policy list should change from green (permit) to
blue (NAT) and you should be fine.
I don't recommend NAT by interface, *ever*. It's implemented less
efficiently in the box and prevents you from putting non-NATd traffic
through the interface. NAT should be enabled policy by policy as
appropriate.
-Russ.
| 
XML site map