Knowledge Search


×
 

Cannot configure DIP on Different Subnet than Untrust

  [KB5591] Show Article Properties


Summary:
Cannot configure DIP on Different Subnet than Untrust
Symptoms:
Cannot configure DIP on untrust side DIP pool is on different subnet than the untrust side
Solution:

In ScreenOS 3.0.1 and below, DIP Pool can only be configured on the same subnet as the untrust network.  

In ScreenOS 3.0.3, a new feature was added to enable a DIP pool on different subnet than untrust. This was called extended dip. This involved referencing an extended interface, and creating a DIP pool off of the extended interface.

Example: Assume the untrust interface is 1.1.1.1 255.255.255.0. Assume our goal is to create a dip pool from 10.1.1.1 through 10.1.1.10. The extended DIP is then created as follows:

set interface untrust ext ip 10.1.1.254 255.255.255.0 dip 4 10.1.1.1 10.1.1.10 [Enter]

This is also supported on ScreenOS 4.0.0 and higher.

color="red">Note:  ScreenOS 3.1.0 was on a different code branch than 3.0.1.  Because of this, DIP on different subnet than untrust was not supported in ScreenOS 3.1.0

Here is the problem or goal:

  • Cannot configure DIP on untrust side
  • DIP pool is on different subnet than the untrust side

Applicable Products:

  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen- 500

Applicable ScreenOS:

  • 2.50
  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 3.0.0
  • 3.0.1


Related Links: