[j-nsp] ns-50 NAT problem

[Andrew Mulheirn]

Hi Gabriel,

> So Basically you are saying the only way to have this work is to have
a
> second device do the nat? There is no other way arround right?

I tried to make the NAT come from either a loopback or another
sub-interface on the Netscreen, and (when I was using dynamic NAT) it
always used the egress interface.   I couldn't make it do anything else.

I'm no expert on ScreenOS, but a colleague of mine who has worked with
them since almost day one couldn't find a way to make what you want to
happen either.

Another way around might be to install a second device, such as a
hardened perimeter router.  Do the NAT on the Netscreen on a single
interface, and have a static default pointing at the perimeter router.
The router then has your two uplinks connected to it, providing the
fault tolerance.

I suppose the issue then is, how do you get it to fail over.  I suppose
you need to learn routes or defaults from your ISPs.

Hope that helps,

Andrew

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us.