test

SunScreen 3.2 Configuration Examples

Mixed-Mode Configuration

Performing Preliminary Steps

The following steps illustrate what you would have to do to create a network like the one in the example. Your own configuration may differ significantly but the general steps would still apply.

  1. Configure the routing interfaces with the correct IP addresses.

    In this example, the routing interfaces are named qfe2 and qfe3

  2. Confirm that the Screen can contact the addresses of both the internal router and the internal hosts.

    Make sure to use the correct routing and netmasks.

  3. Install the Screen in routing-mode with remote administration.

    Use the steps described previously in "Setting Up Remote Administration with SKIP" Select "routing mode" when installing the firewall software even though this Screen has both stealth- and routing-mode interfaces. In this example, lon-host4 is the remote Administration Station.

  4. After rebooting the Screen, start a browser on the Administration Station and log into the Screen.

  5. Define the Address objects that reflect the topology of your network.

    For this example, you would create the Address objects shown in the following table

    Table 8-1 Address Objects

    Name 

    Type 

    Details 

    external-router

    HOST

    192.168.3.1

    168.3-private

    RANGE

    192.168.3.2 to 192.168.3.254

    mail-server

    HOST

    192.168.3.10

    168.4-net

    RANGE

    192.168.4.1 to 192.168.4.254

    10.0.3-net

    RANGE

    10.0.3.1 to 10.0.3.254

    ftp-server

    HOST

    10.0.3.3

    qfe3_grp

    GROUP

    Include {10.0.3-net}

    Exclude {}

    qfe2_grp

    GROUP

    Include {*}

    Exclude {10.0.3-net}

    qfe1_grp

    GROUP

    Include {168.3-private 168.4-net 10.0.3-net}

    Exclude {}

    Internet

    GROUP

    Include {*}

    Exclude {qfe1_grp}

    qfe0_grp

    GROUP

    Include {Internet}

    Exclude {}

    Note -

    The address groups (for example, qfe1_grp) must contain all the IP addresses that can be reached from that interface.

  6. Verify that the routing interfaces were defined by the installation procedure.

    In this example, the routing interfaces are qfe2 and qfe3. They must have the interface groups qfe2_grp and qfe3_grp assigned to them, respectively.

  7. Add INTERFACE objects for the stealth interfaces.

    In this example, you would define qfe0 and qfe1 as using the address groups qfe0_grp and qfe1_grp. These interfaces must be defined as TYPE: STEALTH.

  8. Edit the Screen object ensuring that the STEALTH SUBNET/NETMASK are defined.

    In this example, the values would be 129.168.3.0 and 255.255.255.0.

  9. Install an open, or a test, policy.

  10. Save and activate the policy.

  11. Verify that the configuration works.

    In this example, you would try to ping the mail-server from an external host.

    Verify that this host can ping the Screen's external routing interface qfe2.