I have an SSG5 and am wondering if I can use it to enable a monitoring device on an untrust zone to communicate with a couple of service devices on other zones having identical subnetting to each other.
I have put 1 of the service devices on the 'trust' zone on the same 'trust-vr' as the untrust zone
and the other on an 'alt-zone' on a seperate 'alt-vr'
added a MIP on the untrust interface with a unique untrust IP translating to the service side IP for each device ...
I expected pings to the MIP ip configured on the 'trust-vr' to be isolated from pings to the MIP ip configured on the 'alt-vr'...
but no matter which MIP ip I ping from the monitoring host, i get replies whether I plug a service device into the 'trust-vr' port or the 'alt-vr' port...
so:
Monitor at 10.10.10.12
wired to port 0/0 ( untrust zone on trust-vr ) 10.10.10.10/24
service device at 192.168.1.100
wired to port 0/6 ( trust zone on trust-vr) 192.168.1.99/24
service device at 192.168.1.100
wired to port 0/5 (alt-zone on alt-vr) 192.168.1.99/24
MIP on port 0/0 (10.10.10.19) to host 192.168.1.100/32 vr "alt-vr"
MIP on port 0/0 (10.10.10.20) to host 192.168.1.100/32 vr "trust-vr"
if i attach service device to just port 0/5 i get replies when pinging either 10.10.10.19 or .20 from the monitoring device.
likewise if i attach service device to just port 0/6...
Does global zone prevent me from isolating the service devices or do I just need to get smart on routing and policy?
Thanks for any help.
------------------------------
JOHN JOHN
------------------------------