Hello,
I am trying to implement the simple network below:
(Untrust 0/0)ADSL -----------> SSG5 -----------> (Trust in 0/2 and 0/3) WAP + Ethernet
|-----------> (DMZ in 0/1) Blog Server
The configuration file is attached below. Please note that the IP Addresses are masked as follow:
Untrust zone: retrieve IP from provider (A.D.S.L/24)
DNS addresses are retrieved from provider (ADSL.D.N.S1 and ADSL.D.N.S2)
DMZ: gateway is a static address (Gateway.D.M.Z/24)
Blog server is a static address (Blog.S.T.C/24)
Trust: SSG5 gateway (Gateway.S.T.C/24)
WAP gateway is a static address (WPA.S.T.C/24)
DHCP dynamic addresses range (start: Trust.S.T.R , end: Trust.E.N.D - note that the gateway addresses are not included in this range)
3 policies are in the following order:
- from DMZ (blog server only) to Untrust: any
- from Trust to DMZ (blog server only): any
- from Trust to Untrust: any
Here is the behaviour:
1- Trust-Untrust configuration is Ok
2- Trust-DMZ configuration is NOK: I can ping the Blog server but I cannot HTTP in (connection reset message in browser, SSG5 signals Close Age for the request)
3- DMZ-Untrust configuration is NOK: I can't ping an internet IP address (SSG5 signals close Age for the request)
Here is what I have done until now:
- read different documentations (knowledge base, official screenOS configuration guide) and tried out configurations: at best I keep the same behaviour. At worst, I lose all connection to Untrust.
- updated the firmware twice (from original 5.4.0r2 to 6.3.0r16a via 5.4.0r16): no modification to behaviour.
For the moment, I am stumped. There is certainly something I fundamentally don't understand.
Can anybody tell me how to:
1- connect Trust zone to DMZ so that I can test HTTP connections (additional info, BLOG server is correctly parametered since it was tested in Trust Zone before being moved in DMZ)
2- connect DMZ to Untrust so that I can download system upgrades on the web server
Thanks in advance.
red.
#SSG5