EDIT: I fat-fingered one of the octets... 😛 sarab's debug statements allowed me to see just the packets involved. My basic understanding was not the problem, it was driver-error.
Hi
I am setting up an SSG 5 and wish to create a rule that will allow a few hosts from trusted to untrusted for a management interface into my bridged DSL modem's LAN. The deny works but the allow rule for a single IP does not. What is it am I doing wrong?
trust (NAT); untrust (NAT)
My policy list between trust and untrust started with:
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
This allowed internet access for all my trusted zones and all trusted zone hosts can access my DSL modem's management interface (192.168.1.254). I'm currently only using one trusted zone but will be using others.
The deny rule works and is placed before "any any any permit".
set policy id 9 from "Trust" to "Untrust" "Any" "192.168.1.252/30" "ANY" deny
The untrust interface definition is
set interface "bgroup3" zone "Untrust"
set interface bgroup3 ip 192.168.1.253/30
set interface bgroup3 nat
The allow rule is what is not working if I have id 9 enabled. It is placed before policy id 9.
set policy id 10 from "Trust" to "Untrust" "172.16.0.20/32" "192.168.1.252/30" "ANY" permit
Here are the policy entries in the configuration with successful policy verify:
set policy id 10 from "Trust" to "Untrust" "172.16.0.20/32" "192.168.1.252/30" "ANY" permit
set policy id 10
exit
set policy id 9 from "Trust" to "Untrust" "Any" "192.168.1.252/30" "ANY" deny
set policy id 9
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit