{"id":275,"date":"2017-08-13T17:28:21","date_gmt":"2017-08-13T21:28:21","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=275"},"modified":"2017-08-13T17:28:21","modified_gmt":"2017-08-13T21:28:21","slug":"server-published-to-public-ip-for-both-trust-untrust-connections","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/server-published-to-public-ip-for-both-trust-untrust-connections\/","title":{"rendered":"Server published to Public IP for both Trust &#038; Untrust Connections"},"content":{"rendered":"<p><strong>Product<\/strong>: ScreenOS<br \/>\n<strong>Version<\/strong>: 6.0 and higher<\/p>\n<h2>Network Topology<\/h2>\n<p><a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-276\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT-300x124.png\" alt=\"\" width=\"300\" height=\"124\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT-300x124.png 300w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT-768x317.png 768w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT-1024x423.png 1024w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/ScreenOSTrustPublicNAT.png 1213w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet traffic to access the services. The second allows local trust lan computers to access the same public ip address for these same services. This policy requires both source and destination nat.<\/p>\n<h2>Description:<\/h2>\n<p>The server publishes services to a public ip address on the firewall. The public ip address is placed int the trust zone and policy based nat is used to make the necessary address translations. The untrust to trust access also requires that proxy arp be enabled for the published address. Note that the method for proxy arp changes with version 6.3 of ScreenOS.<\/p>\n<p>The trust to trust access requires that the direct lan connection between the two computers at layer two be prevented from kicking in. This is accomplished by translating the requesting computer source address to the firewall interface ip address. This forces the reply from the server local ip address to come to the firewall and not returned directly to the requesting computer. Thus the session setup for the public ip address by the local computer is maintained and the connection can be managed.<\/p>\n<p>The process requires two separate policies<\/p>\n<ol>\n<li>1.Untrust to Trust for the internet access to the server with destination nat<\/li>\n<li>1.Trust to Trust for the local LAN access via the public ip address with both source and destination nat.<\/li>\n<\/ol>\n<h3>Zone Layout<\/h3>\n<p>untrust interface is ethernet0\/0<br \/>\ntrust interface is bgroup0<br \/>\nThe public ip address is placed into the trust zone<\/p>\n<h2>Configuration:<\/h2>\n<p><strong>Proxy ARP<\/strong><\/p>\n<p>CLI<br \/>\n6.2 or earlier<br \/>\nset arp nat-dst<\/p>\n<p>6.3<br \/>\nset interface ethernet0\/0 proxy-arp-entry 1.1.1.2 1.1.1.2<\/p>\n<p>WEB (6.3 only. 6.2 only available in CLI)<br \/>\nNetwork \u2013 Interfaces<br \/>\nedit interface ethernet0\/0<br \/>\nProxy-arp menu<br \/>\nadd 1.1.1.2<\/p>\n<p>&nbsp;<\/p>\n<p><strong> Address Object for public ip address into Trust Zone<\/strong><\/p>\n<p>CLI<br \/>\nset address Trust ServerPublic 1.1.1.2 255.255.255.255<br \/>\nset address Trust LAN 10.0.2.0 255.255.255.0<\/p>\n<p>WEB<br \/>\nPolicy\u2014Policy Elements\u2014Addresses\u2014List<br \/>\nNew<br \/>\ntrust zone<br \/>\nServerPublic<br \/>\n1.1.1.2\/32<br \/>\nNew<br \/>\ntrust zone<br \/>\nLAN<br \/>\n10.0.2.0\/24<\/p>\n<p><strong>1. Untrust to Trust for the internet access to the server with destination nat<\/strong><\/p>\n<p><strong>CLI<\/strong><br \/>\nset policy name ServerUntrust from Untrust to Trust any ServerPublic HTTP dst ip 10.0.2.2 permit log<\/p>\n<p><strong>WEB<\/strong><br \/>\nPolicy\u2014Policies<br \/>\nUntrust to Trust<br \/>\nNew<br \/>\nFrom Any to ServerPublic<br \/>\nSelect services from list<br \/>\nPermit<br \/>\nCheck log button<br \/>\nAdvanced button<br \/>\nDestination translation and enter the server ip address 10.0.2.2<\/p>\n<p><strong>2. Trust to Trust for the local LAN access via the public ip address with both source and destination nat.<\/strong><\/p>\n<p>Enable the proxy arp for destination nat. This is a CLI only command.<\/p>\n<p><strong>CLI<\/strong><br \/>\nset policy name ServerInternal from Trust to Trust LAN ServerPublic HTTP nat src dst ip 10.0.2.2 permit log<\/p>\n<p><strong>WEB<\/strong><br \/>\nPolicies \u2013 Policy \u2013 set trust to trust \u2013 Create New<br \/>\nName: ServerInternal<br \/>\nSource: Any<br \/>\nDestination: ServerPublic<br \/>\nselect the required server services<br \/>\npermit<br \/>\ncheck log button<br \/>\nAdvanced button<br \/>\nCheck destination translation and enter the server ip address 10.0.2.2<br \/>\nCheck source translation and leave on the default egress interface<\/p>\n<h2>Verification:<\/h2>\n<p>Attempt server access from internal computer using public address and open the policy log. Verify that both the source and destination translation are occurring as expected.<\/p>\n<p>Attempt the server access from the untrust zone to the public address and verify connection in log.<\/p>\n<h2>References:<\/h2>\n<p><strong>ScreenOS Concepts and Examples Guide<\/strong><br \/>\n<a href=\"http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html\">http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n<h3>Network Address Translation<\/h3>\n<p>Concepts &amp; Examples Guide<br \/>\nVolume 8 Address Translation<br \/>\nChapter 3 \u2013 Nat-src and Nat-dst in the same policy<br \/>\nKB12631<br \/>\n<a href=\"http:\/\/kb.juniper.net\/InfoCenter\/index?page=content&amp;id=KB1263\">http:\/\/kb.juniper.net\/InfoCenter\/index?page=content&amp;id=KB1263 <\/a><\/p>\n<p>Originally Posted July 09, 2011<br \/>\nLast Revised on July 09, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: ScreenOS Version: 6.0 and higher Network Topology The local trust zone server has a public ip address assigned for accessing services. This has two policies created. One allows destination nat for the untrust internet [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-275","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=275"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/275\/revisions"}],"predecessor-version":[{"id":277,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/275\/revisions\/277"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=275"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}