In ScreenOS 3.0.1 and below, DIP Pool can only be configured on the same subnet as the untrust network.
In ScreenOS 3.0.3, a new feature was added to enable a DIP pool on different subnet than untrust. This was called extended dip. This involved referencing an extended interface, and creating a DIP pool off of the extended interface.
Example: Assume the untrust interface is 1.1.1.1 255.255.255.0. Assume our goal is to create a dip pool from 10.1.1.1 through 10.1.1.10. The extended DIP is then created as follows:
set interface untrust ext ip 10.1.1.254 255.255.255.0 dip 4 10.1.1.1 10.1.1.10 [Enter]
This is also supported on ScreenOS 4.0.0 and higher.
color="red">Note: ScreenOS 3.1.0 was on a different code branch than 3.0.1. Because of this, DIP on different subnet than untrust was not supported in ScreenOS 3.1.0
Here is the problem or goal:
- Cannot configure DIP on untrust side
- DIP pool is on different subnet than the untrust side
Applicable Products:
- NetScreen-5XP
- NetScreen-10
- NetScreen-25
- NetScreen-50
- NetScreen-100
- NetScreen- 500
Applicable ScreenOS:
- 2.50
- 2.6.0
- 2.6.1
- 2.7.1
- 2.8.0
- 3.0.0
- 3.0.1
