This article provides information on how to set up Inter-vsys routing via the shared DMZ zone.
Traffic has to be allowed from Subnet A of Vsys-A to Subnet B of Vsys-B by using the shared DMZ zone:
When to use shared-DMZ zone
Virtual systems across different zones generally use a shared Untrust zone for communication. However, inter-vsys traffic through a shared Untrust zone is often interrupted by external traffic and overlapping IP addresses. To overcome such traffic interference in the shared Untrust zone, you can use a shared DMZ zone, which is created at the root level. Each shared DMZ zone that the root admin creates is automatically assigned to a non-sharable virtual router (VR).
Conditions for using shared-DMZ zone
A shared DMZ zone works only on a security device that is running in NAT/route mode and cannot be bound to any interface, other than the loopback interface. However, the default interface for the shared DMZ zone is Null.
Configuration
[Subnet in Vsys-A: 10.10.10.1/24]-----[Subnet in Vsys-B:192.168.10.1/24]
In Vsys-A, you need to route the traffic for the 10.10.10.1/24 subnet from Vsys-A-vr to shared-dmz vr and create a route from the shared DMZ vr to Vsys-A-vr for the 192.168.10.1/24 subnet.
You need to do the same in Vsys-B. You need to route the traffic for the 192.168.10.1/24 subnet from Vsys-B-vr to the shared DMZ vr and create a route from the shared DMZ vr to Vsys-B-vr for the 10.10.10.10.1/24 subnet.
Root Vsys:
-
Configure the shared DMZ zone. In this example, the sh-dmz shared DMZ zone is configured:
set zone name "sh-dmz" shared-dmz
set vrouter "sh-dmz_vr"
By default, the -vr virtual router is created, when the shared DMZ zone is configured:
set vrouter "sh-dmz_vr"
-
Bind the shared DMZ zone to the vsys. The shared DMZ zone and shared DMZ virtual router are visible only in the root-vsys. You need to bind the the shared-DMZ zone to the custom vsys.
Configuration to bind the shared DMZ zone to vsys-A:
set vsys vsysA shared-DMZ sh-dmz
Configuration to bind the shared DMZ zone to vsys-B:
set vsys vsysB shared-DMZ sh-dmz
-
Bind the interface to the shared DMZ zone. The default interface for the shared DMZ zone is Null. The shared DMZ zone can be bound only to the loopback interface:
set int loopback.1 zone sh-dmz
set interface loopback.1 ip 1.1.1.1/24
set interface loopback.1 route
The loopback.1 interface is visible across all vsys's.
Vsys-A
-
Configure the interface information on Vsys-B:
set interface ethernet1/1 zone "Trust-Vsys-A"
set interface ethernet1/1 ip 192.168.10.1/24
set interface ethernet1/1 route
-
Add a route for the 10.10.10.1/24 subnet from Vsys-A-vr to point to sh-dmz-vr:
set vrouter "Vsys-A-vr"
set route 10.10.10.1/24 vrouter " sh-dmz-vr " preference 20 metric 1
exit
Add a route for the 192.168.10.1/24 from sh-dmz-vr to point to Vsys-A-vr:
set vrouter " sh-dmz-vr "
set route 192.168.10.1/24 vrouter "Vsys-A-vr" preference 20 metric 1
exit
-
Add policies between Trust-Vsys-A and sh-dmz to allow the traffic:
set policy id 2 from "Trust-Vsys-A" to " sh-dmz " "192.168.10.1/24" "10.10.10.1/24" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 1 from " sh-dmz " to "Trust-Vsys-A" "10.10.10.1/24" "192.168.10.1/24" "ANY" permit log
set policy id 1
set log session-init
exit
Vsys-B
-
Configure the interface information on Vsys-B:
set interface ethernet1/4 zone "Trust-Vsys-B"
set interface ethernet1/4 ip 10.10.10.1/24
set interface ethernet1/4 route
-
Add a route for the 192.168.10.1/24 subnet from Vsys-B-vr to point to sh-dmz-vr:
set vrouter "Vsys-B-vr"
set route 192.168.10.1/24 vrouter " sh-dmz-vr " preference 20 metric 1
exit
Add a route for the 10.10.10.1/24 subnet from sh-dmz-vr to point to Vsys-B-vr:
set vrouter " sh-dmz-vr "
set route 10.10.10.1/24 vrouter "Vsys-B-vr" preference 20 metric 1
exit
-
Add policies between Trust-Vsys-B and sh-dmz to allow the traffic:
set policy id 2 from "Trust-Vsys-B" to " sh-dmz " "10.10.10.0/24" "192.168.10.0/24" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 1 from " sh-dmz " to "Trust-Vsys-B" "192.168.10.0/24" "10.10.10.0/24" "ANY" permit log
set policy id 1
set log session-init
exit
Debug Flow Basic
ping 10.10.10.1 from ethernet1/1 (from vsys-A)
***** 38536.0: <Trust-Vsys-A/ethernet1/1> packet received [128]******
ipid = 62071(f277), @6bd45e74
self:192.168.10.1/5000->10.10.10.1/1024,1(8/0)<Vsys-A>
flow_decap_vector IPv4 process
ethernet1/1:192.168.10.1/5000->10.10.10.1/1024,1(8/0)<Vsys-A>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <ethernet1/4>
chose interface ethernet1/1 as incoming nat if.
IP classification from non-shared src if : vsys Vsys-A
flow_first_routing: in <ethernet1/1>, out <ethernet1/4>
search route to (ethernet1/1, 192.168.10.1->10.10.10.1) in vr Vsys-A-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.10.10.1
add route 3 for 10.10.10.1 to route cache table
[ Dest] 3.route 10.10.10.1->10.10.10.1, to ethernet1/4
routed (x_dst_ip 10.10.10.1) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/4
Cross vsys (Vsys-A->Vsys-B) at ethernet1/4: need loopback push to sh-dmz
policy search from zone 19-> zone 1000
policy_flow_search policy search nat_crt from zone 19-> zone 1000
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-A, ip 10.10.10.1, port 17578, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
No src xlate choose interface ethernet1/4 as outgoing phy if
skip loopback check for cross vsys (Vsys-A->Vsys-B)
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/1>, out <ethernet1/4>
SM_RULE:0
existing vector list 0-6cffae84.
Session (id:300055) created for first pak 0
loopback session processing
post addr xlation: 192.168.10.1->10.10.10.1.
flow_first_sanity_check: in <loopback.1>, out <N/A>
chose interface loopback.1 as incoming nat if.
flow_first_routing: in <loopback.1>, out <N/A>
search route to (loopback.1, 192.168.10.1->10.10.10.1) in vr sh-dmz_vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.10.10.1
add route 3 for 10.10.10.1 to route cache table
[ Dest] 3.route 10.10.10.1->10.10.10.1, to ethernet1/4
routed (x_dst_ip 10.10.10.1) from loopback.1 (loopback.1 in 0) to ethernet1/4
IP classification from non-shared dst if : vsys Vsys-B
Cross vsys set nat crt vsys:Vsys-B, pak vsys:Root, vsys:Vsys-B, result:0
policy search from zone 1000-> zone 22
policy_flow_search policy search nat_crt from zone 1000-> zone 22
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-B, ip 10.10.10.1, port 17578, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
No src xlate choose interface ethernet1/4 as outgoing phy if
set interface ethernet1/4 as loop ifp.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <loopback.1>, out <ethernet1/4>
SM_RULE:0
existing vector list 0-6cffae84.
Session (id:300057) created for first pak 0
vector index1 0, vector index2 0
existing vector list 0-6cffae84.
existing v6 vector list 0-1550469c.
new vector index 0.
post addr xlation: 192.168.10.1->10.10.10.1.
flow_first_sanity_check: in <ethernet1/4>, out <ethernet1/4>
existing vector list 0-6cffae84.
create a self session (flag 0x206), timeout=60sec.
vector index1 0, vector index2 0
existing vector list 0-6cffae84.
existing v6 vector list 0-1550469c.
new vector index 0.
loopback session created
flow_first_install_session >
flow got session.
flow session id 300055
flow_main_body_vector in ifp ethernet1/1 out ifp ethernet1/4
flow vector index 0x0, vector addr 0x6cffae84, orig vector 0x6cffae84
post addr xlation: 192.168.10.1->10.10.10.1.
packet is for self, copy packet to self
copy packet to us.
2020-09-03: Article reviewed for accuracy; no changes required; article valid