Question : How to allow Internet access between untrusted zones on SSG-140

This is a test network that will interface with a production network.

I am having trouble setting up Internet access for test PCs in untrust zones. In my test environment, I have successfully created connectivity and firewall policies between PCs on a trust interface (eth0/8) and untrust interface (eth0/9). However, when I try to configure another untrust interface (eth0/7) for Internet access, none of the PCs in the untrust domain can access the Internet. I have used the ffilter and debug tools but could not quite pinpoint what the problem was. I have tried many different variations without success so instead of posting a bunch of confusing configs, I have cleared the configs and will start from scratch.

I have already read the following:

1. http://rsivanandan.com/Data/10Juniper.pdf
2. Juniper Website: Concepts & Examples - ScreenOS Reference Guide PDF

Please reference the attached network design. I want hosts on the zones binded to Untrusted-Vr (I might add custom Zones in the future) to have Internet access. I think that this will require zones DMZ and Untrust binded to Untrusted-Vr and Trust binded to Trusted-Vr. I don't necessarily need a "DMZ" as the Test LAN hosts will not need to be accessed from the Internet - they just need Internet access. In the future, I might add remote access but I will probably just use a MIP to do that.

How can I accomplish this task using either CLI or WebUI?

Network.Example.SSG140.jpg (53 KB) (File Type Details) 

Production - Test - Internet Diagram for SSG-140.

Answer : How to allow Internet access between untrusted zones on SSG-140

Check if you have setup eth0/9 to use NAT. Else you need to have public IPs there.

However, it might be (but I'm not positive about it) that NAT is not applied if you stay in the same zone, no matter what you set the interfaces to.  In that case, and I recommend that anyways, you need to create a new zone for eth0/9, and allow traffic via a specific policy.

Interfaces in the same zone can communicate without a policy. That is a security risk if in Untrust, and hence my recommendation to use a different zone in any case.

Different VRs are useful only if you want to separate routing domains (using OSPF, RIP, BGP or the like), and not propagate automatically determined routes. They do not matter in your case, so your Untrust-VR/Trust-VR might introduce more effort than necessary, as you have to explicitely create the VR-passing routes.