I recently changed my ISP such that now my SSG5 needs to do the NATing function for the private IP addresses.
I have a /28 block of public addresses behind my ISP access gateway (that only NATs the private addresses of the one subnet it supports). I have successfully set up the public address block in a zone in the untrust-vr routing domain with all my internal private addresses in the trust-vr routing domain. There is a static route for 0.0.0.0 from trust-vr to untrust-vr
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
and a default gateway in untrust-vr to the public address of
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/2 gateway 23.123.122.158
This is the public address assigned to the ISP access gateway.
all the interfaces handling zones for trust zones are set to nat (e.g.)
set interface ethernet0/1 ip 192.168.192.1/24
set interface ethernet0/1 nat
this works with one fault. NATing is applied to access any server in my public block. I would rather not. I can put static routes on those systems to handle my private address blocks bhind the SSG5.
So the question:
How might I set things up so that connections from my trust domain to my public addressed servers in my untrust domain are not nated, while connections from my trust domain, THROUGH my public subnet to the Internet, are nated.
thanks