--> what ip for untrusted interface ??? if 10.0.0.3, you can used MIP for both dns and mail service, and used VIP for http and smtp service. Yes, 1.0.0.3
--> for dns and mail automaticaly will used MIP ip ,but if your untrusted interface used 1.0.0.3, all traffic except dns and mail will used that ip.
anyone can add more details ?
Yes, but if we want (for example) to ping or send http request to something in Untrust (let it be 11.0.0.1) from 2.0.0.1 then on 11.0.0.1 we have packets from 1.0.0.1 not(!) from 1.0.0.3
I tried to do this:
set interface "ethernet0/0" zone "DMZ"
set interface "ethernet0/9" zone "Untrust"
set interface ethernet0/0 ip 2.0.0.254/24
set interface ethernet0/0 nat
set interface ethernet0/9 ip 1.0.0.3/24
set interface ethernet0/9 nat
set interface "ethernet0/9" mip 1.0.0.1 host 2.0.0.1 netmask 255.255.255.255 vr "trust-vr"
set policy id 9 from "DMZ" to "Untrust" "Any" "Any" "FTP" nat src permit
set policy id 9
set service "HTTP"
set service "PING"
exit
It looks like policy id 9 just permits traffic from 1.0.0.1 to Untrust but doesn't make nat src as it defined in the policy.
How can I make it work? Or, may be, there are other ways to do something like "nat src exception policies for MIP hosts"?
Message Edited by SparF on 01-06-2009 02:17 AM