Version: 6.0 and higher
The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.
The server publishes services to a public ip address on the firewall. The public ip address is placed int the trust zone and policy based nat is used to make the necessary address translations. The untrust to trust access also requires that proxy arp be enabled for the published address. Note that the method for proxy arp changes with version 6.3 of ScreenOS.
The trust to trust access requires that the direct lan connection between the two computers at layer two be prevented from kicking in. This is accomplished by translating the requesting computer source address to the firewall interface ip address. This forces the reply from the server local ip address to come to the firewall and not returned directly to the requesting computer. Thus the session setup for the public ip address by the local computer is maintained and the connection can be managed.
The process requires two separate policies
- 1.Untrust to Trust for the internet access to the server with destination nat
- 1.Trust to Trust for the local LAN access via the public ip address with both source and destination nat.
untrust interface is ethernet0/0
trust interface is bgroup0
The public ip address is placed into the trust zone
6.2 or earlier
set arp nat-dst
set interface ethernet0/0 proxy-arp-entry 22.214.171.124 126.96.36.199
WEB (6.3 only. 6.2 only available in CLI)
Network – Interfaces
edit interface ethernet0/0
Address Object for public ip address into Trust Zone
set address Trust ServerPublic 188.8.131.52 255.255.255.255
set address Trust LAN 10.0.2.0 255.255.255.0
1. Untrust to Trust for the internet access to the server with destination nat
set policy name ServerUntrust from Untrust to Trust any ServerPublic HTTP dst ip 10.0.2.2 permit log
Untrust to Trust
From Any to ServerPublic
Select services from list
Check log button
Destination translation and enter the server ip address 10.0.2.2
2. Trust to Trust for the local LAN access via the public ip address with both source and destination nat.
Enable the proxy arp for destination nat. This is a CLI only command.
set policy name ServerInternal from Trust to Trust LAN ServerPublic HTTP nat src dst ip 10.0.2.2 permit log
Policies – Policy – set trust to trust – Create New
select the required server services
check log button
Check destination translation and enter the server ip address 10.0.2.2
Check source translation and leave on the default egress interface
Attempt server access from internal computer using public address and open the policy log. Verify that both the source and destination translation are occurring as expected.
Attempt the server access from the untrust zone to the public address and verify connection in log.
ScreenOS Concepts and Examples Guide
Network Address Translation
Concepts & Examples Guide
Volume 8 Address Translation
Chapter 3 – Nat-src and Nat-dst in the same policy
Originally Posted July 09, 2011
Last Revised on July 09, 2011