cancel
Showing results for 
Search instead for 
Did you mean: 

SA 2500 behind SSG 20

SOLVED
MyNet_
Occasional Contributor

SA 2500 behind SSG 20

[ global internet ] <--------> [SSG 20] <-----> [SA 2500]<---->[LAN resources]

Problem : Access SA 2500 from global internet through an SSG 20

Current Setup/Status :

SA 2500 is on interface 0/2 with local IP

SSG 20 uses ADSL interface to connect to internet with PPPoE

ADSL is untrust Zone

0/2 is trust Zone

All trust Zones use OSPF to interact

SA 2500 is already configured

All pings and web access methods work to the SA 2500 from within the SSG 20 LAN on any interface

[b]Can not ping or web access SA 2500 from outside SSG 20[/b]

Have tried to set up VIP to have SSG 20 outside IP relay to SSG 2500 (may have configured incorrectly)

Have tried to set up MIP to have SSG 20 outside IP relay to SSG 2500 (may have configured incorrectly)

Have tried to set up DIP to have SSG 20 outside IP relay to SSG 2500 (may have configured incorrectly)

Have tried setting up static routes etc

Perhaps someone can point me in the right direction or write a quick walk through for the best way to accomplish this?

Thank you for your time =)

1 ACCEPTED SOLUTION

Accepted Solutions
MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20


@WL wrote:

Hi there

I guess you want to access the SA box via HTTPS right, here are the CLI commands to to create a VIP to access the Server from the Internet:

(1) set ssl port 5050 (Relocate the SSL port as this service is part of the VIP, you dont need this if you are doing HTTP)

(2) set interface ethernet0/0 vip 172.24.28.168 + 443 "HTTPS" 172.16.50.20

(3) set policy top from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTPS" permit

I guess one of the problems you may have had is that the VIP does not get configured for the 443 port if you have not reallocated the managment port (if you are using the interface IP of the FW as part of the VIP configuration.

No (2) essentially gives the interface IP address to the VIP. You should be able to access the server via the interface IP address of the FW on port 443 or any other port you prefer.

Lokks like you may not have added the VIP to the policy?

Hope this helps

Message Edited by WL on 01-14-2009 03:36 PM

The solution to this problem was found by WLA. Thank you =)

View solution in original post

9 REPLIES 9
muttbarker_
Valued Contributor

Re: SA 2500 behind SSG 20

I have pretty much the same setup - SSG20 connecting to INet via ADSL on untrust - My SSL VPN box is in one armed mode. Inside addr is a 192.x addr and I use MIP to map it to an external addr.

have two entries setup on SSG box - one MIP entry and one policy:

On your ADSL interface setup MIP -

Mapped IP Host IP Netmask VRouter

68.xxx.xxx.xx 192.xxx.xxx.xxx 255.255.255.255 trust-vr

Create Policy Untrust to Trust

Source Dest Service Action

Any MIPAddr Any Allow

That was all I did (as far as I can remember) - let me know if you need any other help.

MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20

I've tried this but it doesn't seem to be working for me. I know it should be, but it isn't.

The adsl has a /29 address range. The outside IP is x.x.x.48 if I map address x.x.x.49 or 50 shouldn't that work? I've also tried mapping address .48 and that does not work either. The connection times out. I set the policies to any both ways.

muttbarker_
Valued Contributor

Re: SA 2500 behind SSG 20

Yes the .49 or .50 should work assuming that they are valid addresses. .48 should also work - I just swapped out my assigned MIP that I was using and substitued in the ADSL IP and it worked fine. Question on your policy - are you specifying the MIP ADDR from your address book as the destination on the Untrust to Trust policy?

Let me know. If you are and it still does not work then I would run a debug flow on the transaction. If you want some more help just yell!

MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20

My policy is ANY to ANY--but I made specific untrust to trust using the local and global IPs accordingly.The connectionis still timing out. This may be a dumb question, but perhaps I have the SA 2500 set up incorrectly? The local LAN can connect to the local address just fine, but I only have the internal port configured and this is the connection we're connecting to now. Do I have to use the external to connect to it from the outside, or is that optional?

Message Edited by MyNet on 01-14-2009 09:57 AM
MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20

When I try to add the x.x.x.48 address to be MIPed it gives me this error:

subnet boundary x.x.x.48 can't be used as MIP

Perhaps I'm doing something wrong on the SSG 20 and I should have made this post in the firewalls section?

Message Edited by MyNet on 01-14-2009 10:21 AM
muttbarker_
Valued Contributor

Re: SA 2500 behind SSG 20

It sounds like the SA2500 is fine. There are NO issues with using the single internal interface. You do not have to use the external I/F at all. It is the job of F/W to map the external IP to the internal one.
muttbarker_
Valued Contributor

Re: SA 2500 behind SSG 20

I think you are doing something wrong on the SSG-20, just not sure what Smiley Sad

I tried using my ADSL external IP address as the MIP address for my SA box and had no problem setting it up and using it in my policy and then connecting to the SA. If you use one of your other addresses like .49 can you access the SA box from your internal network by using the .49 address?

Did you try using the debug or session commands to see what happens when you try and access the box using the external address?

MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20

Thank you for your help muttbarker. I've given you kudos for helping me--I'm new here so I'm not entirely sure what they do, but I gave them anyways haha. This post has been moved to the firewalls section and I will follow up with the solution here when I find it (just in case anyone else has this issue and finds this thread instead of the other one).

Message Edited by MyNet on 01-14-2009 10:37 AM
MyNet_
Occasional Contributor

Re: SA 2500 behind SSG 20


@WL wrote:

Hi there

I guess you want to access the SA box via HTTPS right, here are the CLI commands to to create a VIP to access the Server from the Internet:

(1) set ssl port 5050 (Relocate the SSL port as this service is part of the VIP, you dont need this if you are doing HTTP)

(2) set interface ethernet0/0 vip 172.24.28.168 + 443 "HTTPS" 172.16.50.20

(3) set policy top from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTPS" permit

I guess one of the problems you may have had is that the VIP does not get configured for the 443 port if you have not reallocated the managment port (if you are using the interface IP of the FW as part of the VIP configuration.

No (2) essentially gives the interface IP address to the VIP. You should be able to access the server via the interface IP address of the FW on port 443 or any other port you prefer.

Lokks like you may not have added the VIP to the policy?

Hope this helps

Message Edited by WL on 01-14-2009 03:36 PM

The solution to this problem was found by WLA. Thank you =)