http://kb.juniper.net/KB12835 (maybe it cannot directly reached, you should http://kb.juniper.net/KB11909 then 11911, then 12835)
- You want to allow a DMZ server inside the firewall full access to the Internet, and any outside host access to a web server inside the firewall on the Trust zone
- Users on Internet will use the Server Public IP address 1.1.1.50 to access the internal server 192.168.1.50
The untrust interface is 1.1.1.100 and the server public address is 1.1.50. The internal server is 192.168.1.50.
As the document said, if the server need access the internet, it should also use the public IP address? Am i right? It means, if the server need to start a connection to other server, it should also use it public IP address just the same address as it was connected by other servers.
But my problem is when I make a log in the policies, I see the packets from the 192.168.1.50 was translated to 1.1.1.100 (Engrase IP address). It was not I wanted.
Mine is Screen OS 5.4.0r4.0, SGS 1400