lundi 28 juin 2010

Configuring Routing Between 2 custom VSYS

As I really had some difficulty to implement routing between two custom VSYS and didn't found any valuable help on the net, I decided to put here a configuration example for those who may need it. This doesn't mean it's the only or the best way to do it but it does the job. Any comments would be welcome.

So, we have two subnets, each of them having a custom VSYS on a NS5200 firewall as a gateway. We want to allow any traffic to flow from subnet A (192.168.0.0/24) to subnet B (192.168.1.0/24) and vice-versa.

Here are the basic steps:
  1. Root VSYS configuration : As trafic leaving a a VSYS is considered to have the shared root "Untrust" zone as destination, we have to put this zone in the untrust-vr for the routing to take place. The tricky part of the configuration is a shared interface must exist in the "Untrust" zone to loop the traffic for intervsys communication. You can create a loopback interface without assigning it an IP, in which you should disable NAT on the incoming interface.
  2. Configuring routing in custom VSYSs : After configuring interfaces, the next step is to configure routes. Each VSYS should route trafic destined to the other subnet through the shared root virtual router untrust-vr. The untrust-vr should have the correct routes added.
  3. Configuring policies in custom VSYS : Last thing to do is to configure policies on each VSYS to allow incoming and outgoing traffic to and from "Untrust" zone.

The detailed configuration commands are listed below:
##Root VSYS
set zone "Untrust" vrouter "untrust-vr"
set interface "loopback.1" zone "Untrust"
##VSYS-A
Set vsys VSYS-A
Set zone name zone-A
Set interface ethernet2/1.100 tag 100 zone zone-A
Set interface ethernet2/1.100 ip 192.168.0.1/24
Set interface ethernet2/1.100 route
set vrouter "VSYS-A-vr" route 192.168.1.0/24 vrouter untrust-vr
set vrouter "untrust-vr" route 192.168.0.0/24 vrouter VSYS-A-vr
set policy from zone-A to Untrust any any any permit log
set policy from Untrust to zone-A any any any permit log
##VSYS-B
Set vsys VSYS-B
Set zone name zone-B
Set interface ethernet2/2.101 tag 101 zone zone-B
Set interface ethernet2/2.101 ip 192.168.1.1/24
Set interface ethernet2/2.101 route
set vrouter "VSYS-B-vr" route 192.168.0.0/24 vrouter untrust-vr
set vrouter "untrust-vr" route 192.168.1.0/24 vrouter VSYS-B-vr
set policy from zone-B to Untrust any any any permit log
set policy from Untrust to zone-B any any any permit log
Publié par à
Libellés : ,

2 commentaires:

  1. Anonyme28 juin 2010 à 13:36

    Thank you very much for this super solution, it was really a headache to route traffic between VSYSs.

    RépondreSupprimer
  2. Sami29 juin 2010 à 20:25

    You're welcome, I would be interested on feedback about your configuration ...

    RépondreSupprimer

Inscription à : Publier les commentaires (Atom)