ScreenOS MIP selection for outbound connections
- by David Mackintosh
Given a ScreenOS 6.3.0 firewall with this configuration:
unset flow reverse-route clear-text
set interface "ethernet0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/2 ip 10.0.0.1/24
set interface ethernet0/2 mip 10.9.9.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set interface ethernet0/2 mip 10.8.8.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set route 0.0.0.0/0 interface ethernet0/2 gateway 10.0.0.254
... (and assuming appropriate policies) is there a way to control which MIP the firewall selects for outbound connections initiated by 192.168.1.10? (presumably because I want the upstream 10.0.0.254 to do different things with the packet depending on what its source IP is).
Update: OK, my scenario is this: I have two ISP uplinks, each giving me a different IP space. Each ISP will only route the IP space they have assigned me.
So in order for the server to be reachable by both ISPs, I need two MIPs for the same server, one on each interface. Inbound traffic will work fine with the 'unset flow reverse-route clear-text' option in use.
But for outbound (think an email server sending a message) I need a way to select an appropriate MIP depending on which outbound link I want the system to use, and I want this to be resiliant so that if the link the firewall prefers goes down overnight I don't have to manually flip something to keep the mail flowing.
Basically I'm trying to avoid having to buy a link-balancer appliance (or two since I'll need a cluster).
Is there a way to do this?