JuniperForum.com

Ah, Don't worry unsetting the block is overruled. When seting a global policy you allways have to write an intrazone policy to allow traffic in the zone. No risc as long as you don't gobaly allow traffic (:-

Did you maybe set keep route active on the static route?

To portfard you configure a VIP on the outside interface, define the service and destination on this VIP and then create a inbound policy with the VIP as destination.

How do I route x.x.x.75 to 172.16.1.5 with the SSG320?

Three choises:

Configure a MIP on interface. IP is x.x.x.75, host 172.16.1.5. Policy destination should be MIP(x.x.x.75). Traffic comming from (initiated by that is) will be source natted to x.x.x.75.

Define a VIP on int. More or less portforwarding. Normal NAT applies for outbon traffic. Destination in policies is VIP(x.x.x.75) here.

Last: destination NET.
set arp-nat-dst.
set pol from untrust to untrust any x.x.x.75 service nat dst ip 172.16.1.5 permit log

All should work!
Setup destination nat

You surelu shouldn't be upprised that it will cost sone money to keep a firewall up to date?! There's a lot of work to done on maintenance. For the VPN: you should be able to get every ipsec vpn working. The ScreenOS implementation of IPsec is very,very good.

To soften your mood: you bought a very good device!

You want an honest answer? Call me!

Should work on cluster level! Static routes are synced. What nsm versiomn, what ScreenOS version ?

I'be seen natting from trust to DMZ based upon interface mode. Shouldn't be, I know, but I saw it. So place the trust interface in route mode after you selected NAT src hide behind egress interface in every policy from trust to untrust and you're there.

Did you write a global policy? That overwrite zoneblocking setting. If so: set pol from trust to trust any any any permit solves your problem!

What ScreenOS version are you using? I think this is a 6.1 feature.

Does the eventlog show why the VPN stops?