Netscreen - Dual-Untrust configuration - need to route email traffic out specific interface

I'm running into an issue here that I am not sure how to fix. After 3
hours of going through the Netscreen ScreenOS manual, I haven't found
an answer.

Here is the configuration:

Netscreen 5gt with NetscreenOS 5.3.x

Mode: dual-untrust interfaces.

Ethernet 1 is trust
Ethernet 2 is Eschelon t-1
Ethernet 3 is Qwest DSL

Our domain settings point our email DNS at the Qwest DSL, but the
default route for the router is to send all traffice including SMTP
traffic out the Ethernet 2 (I am assuming because it is the lower
numbered interface?)

I MUST have all SMTP traffic send through the Qwest DSL.

I have a policy setup that specifically allows SMTP traffic from the
local address of our mail server (10.20.10.21) to out through ANY
interface.

I've tried changing the interface by adding an address, but it then
bounces to the ANY - ANY profile setup.

Any direction would be helpful.

Thanks!

Jeff

Re: Netscreen - Dual-Untrust configuration - need to route email traffic out specific interface

jeffbusch@gmail.com wrote:
> I'm running into an issue here that I am not sure how to fix. After 3
> hours of going through the Netscreen ScreenOS manual, I haven't found
> an answer.
>
> Here is the configuration:
>
> Netscreen 5gt with NetscreenOS 5.3.x
>
> Mode: dual-untrust interfaces.
>
> Ethernet 1 is trust
> Ethernet 2 is Eschelon t-1
> Ethernet 3 is Qwest DSL
>
> Our domain settings point our email DNS at the Qwest DSL, but the
> default route for the router is to send all traffice including SMTP
> traffic out the Ethernet 2 (I am assuming because it is the lower
> numbered interface?)
>
> I MUST have all SMTP traffic send through the Qwest DSL.
>
> I have a policy setup that specifically allows SMTP traffic from the
> local address of our mail server (10.20.10.21) to out through ANY
> interface.
>
> I've tried changing the interface by adding an address, but it then
> bounces to the ANY - ANY profile setup.

It sounds like what you're trying to do is make an outbound routing
decision based on layer 4 information (destination port=25). I don't
think the 5GT is capable of this. On incoming traffic, you can redirect
traffic bound for a specific port to another IP using a VIP, but I
think VIPs only work in the inbound direction.

Re: Netscreen - Dual-Untrust configuration - need to route email traffic out specific interface

You need to upgrade to ScreenOS 5.4. This gives you the option of
Policy-Based Routing, with allows you to route outbound traffic based
on IP port.

Killian


jeffbusch@gmail.com wrote:
> I'm running into an issue here that I am not sure how to fix. After 3
> hours of going through the Netscreen ScreenOS manual, I haven't found
> an answer.
>
> Here is the configuration:
>
> Netscreen 5gt with NetscreenOS 5.3.x
>
> Mode: dual-untrust interfaces.
>
> Ethernet 1 is trust
> Ethernet 2 is Eschelon t-1
> Ethernet 3 is Qwest DSL
>
> Our domain settings point our email DNS at the Qwest DSL, but the
> default route for the router is to send all traffice including SMTP
> traffic out the Ethernet 2 (I am assuming because it is the lower
> numbered interface?)
>
> I MUST have all SMTP traffic send through the Qwest DSL.
>
> I have a policy setup that specifically allows SMTP traffic from the
> local address of our mail server (10.20.10.21) to out through ANY
> interface.
>
> I've tried changing the interface by adding an address, but it then
> bounces to the ANY - ANY profile setup.
>
> Any direction would be helpful.
>
> Thanks!
>
> Jeff