[ScreenOS] How to implement the DIP group

  [KB25569] Show Article Properties


Summary:

This article provides information on how to implement the DIP group.

Symptoms:
  • On the firewall, there are two ISP connections - Ethernet1/1 and Ethernet1/3; both are in the Untrust zone.

  • The requirement is to access a server on the Internet, which restricts access form a limited set of IP addresses.

  • In this case, the server will allow connections from 5.5.5.55 and 9.9.9.99 IP addresses:

  • Traditionally, you would create a DIP with one of the IPs and bind it to the security policy fro source-NAT

  • However, in the case of ISP failover, this will create an issue due to the firewall limitation of being unable to bind two DIPs in the same policy.

Solution:

To work around this limitation, you can use a DIP group, in which the DIP IDs that are created on the Ethernet1/1 and Ethernet1/3 interfaces can be bound. After binding the DIPs to a DIP group, it can be then bound to the policy.

The following configurations are on the device:

Interface configuration on the device:

set interface ethernet1/2 ip 192.168.1.1/24
set interface ethernet1/1 ip 5.5.5.5/24
set interface ethernet1/3 ip 9.9.9.9/24
Configured a DIP on the Ethernet1/1 and Ethernet1/3 interfaces:
set interface ethernet1/1 dip 5 5.5.5.55 5.5.5.55
set interface ethernet1/3 dip 6 9.9.9.99 9.9.9.99


.192-> get dip

DipId   Dip Low    Dip High   Interface    Attribute      Usage
5      5.5.5.55    5.5.5.55  ethernet1/1   port-xlate     n/a
6      9.9.9.99    9.9.9.99  ethernet1/3   port-xlate     n/a
Bind these DIPs to a DIP group by using the following commands:
set dip group 7
set dip group 7 member 6
set dip group 7 member 5
Use the DIP group in the policy for translation:
set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src dip-id 7 permit log 

With this configuration, Firewall will source NAT traffic by selecting a DIP bound to the egress interface.

Modification History:

2019-09-10: Minor edits. Non-technical.

Related Links: