Screen OS

Hello all, I am hoping someone will be able to guide me in the right path.

So heres my scenario:

 I have a LAN with 3 floors (10.1.21.X, 10.1.22.X, 10.1.23.X). 

Each floor has HP procurve switches and the one I am testing on is my (10.1.21.X) network.

Within one of our floors(10.1.21.X) we have a dept that we need to isolate from our network with the exception of RDP and 9100 open back to the LAN and also be able to connect to the internet.

1. So what I have just for testing purposes is on my SSG-5 i have a untrust which goes out to a seperate DSL. (dhcp)

2. I have on my Trust side connected to my LAN 10.1.21.253 which is plugged into our HP Procurve switch (10.1.21.1)

3. I have on the DMZ my private new network within our LAN. (192.168.230.253) for the new network (192.168.230.X)

I have 2 issues.

I cannot connect to the internet via the DMZ zone when I plug in

I cannot ping the 10.1.21.253 from the LAN from another switch (10.1.22.X)

(I can ping everything else on the switch(10.1.21.X) from my (10.1.22.X)

I have all policies open any to any accepting (for testing purposes)

Any ideas. Thanks in advance.

For your ping problem, did you allow ping as a managed service on the interface?

Example:

set interface e0/0 manage ping

For your internet access issue, did you enable NAT on your dmz to untrust policy?

Example:

set policy from dmz to untrust any any any nat src permit

-Richard

Thanks for the reply Richard.

I checked and the interface does have ping enabled on that interface. I cannot reach it at all from my LAN like it is not even there.  I'll go ahead and try the internet access issue solution and tell you what happens. Thanks again.

trevino,

Does the HP see the mac and arp entry for the netscreen interface?

Dennis

It does. What this turned out to be was a routing issues between the hp's and the netscreen. after setting up a static route on the hp switch that hits my netscreen interface i was able to ping and access the netscreen. Thanks again for the reply and help!