Hi I've got a MIP configured on a netscreen (v6.3) firewall, the inbound traffic works fine but when traffic from the internal host leaves to the internet, it doesn't use the MIP external IP Address but the WAN egress interface IP.
I thought that MIPs were bidirectional and i've made sure to have policies in both directions. I've tried other policy combinations that result in the main DIP being used.
I've Included some output below:
#### Inbound Policy ####
set interface "loopback.2" mip 80.100.133.185 host 10.21.0.241 netmask 255.255.255.255 vr "trust"
set policy id 28 name "IPSec-80-100-133-185" from "untrust" to "trust" "Any" "MIP(80.100.133.185)" "IPSec" permit log
set policy id 28
set service "UDP-4500"
set service "UDP-500"
set log session-init
exit
### Outbound Policy ###
set policy id 63 name "IPSec-Any-DST" from "trust" to "untrust" "10.21.0.241/32" "Any" "IPSec" permit log
set policy id 63
set service "UDP-4500"
set service "UDP-500"
exit
### Interfaces ###
set interface ethernet0/8.1 ip 10.66.65.246/29
set interface ethernet0/8.1 nat
set interface ethernet0/9.1 ip 23.20.152.244/31
set interface ethernet0/9.1 route
set interface ethernet0/9.1 mtu 1500
### Flow Basic ###
****** 60353039.0: <trust/ethernet0/8.1> packet received [212]******
ipid = 15211(3b6b), @1d680118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/8.1:10.21.0.241/500->50.60.253.153/500,17<Root>
no session found
flow_first_sanity_check: in <ethernet0/8.1>, out <N/A>
chose interface ethernet0/8.1 as incoming nat if.
flow_first_routing: in <ethernet0/8.1>, out <N/A>
search route to (ethernet0/8.1, 10.21.0.241->50.60.253.153) in vr trust for vsd-0/flag-0/ifp-null
cached route 0 for 50.60.253.153
add route 20 for 50.60.253.153 to route cache table
[ Dest] 20.route 50.60.253.153->23.20.152.245, to ethernet0/9.1
routed (x_dst_ip 50.60.253.153) from ethernet0/8.1 (ethernet0/8.1 in 0) to ethernet0/9.1
policy search from zone 101-> zone 102
policy_flow_search policy search nat_crt from zone 101-> zone 102
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 50.60.253.153, port 500, proto 17)
No SW RPC rule match, search HW rule
*** swrs_search_ip: policy matched id/idx/action = 63/23/0xd ***
*** Permitted by policy 63 ***
*** interface-nat dip id = 2, 10.21.0.241/500->23.20.152.244/3241 ***
choose interface ethernet0/9.1 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/9.1
vsd 0 is active
no loop on ifp ethernet0/9.1.
session application type 54, name None, nas_id 0, timeout 60sec
ALG vector is not attached
service lookup identified service 0.
flow_first_final_check: in <ethernet0/8.1>, out <ethernet0/9.1>
existing vector list 221-2cee614.
Session (id:27141) created for first pak 221
flow_first_install_session======>
route to 23.20.152.245
cached arp entry with MAC 000000000000 for 23.20.152.245
arp entry found for 23.20.152.245
ifp2 ethernet0/9.1, out_ifp ethernet0/9.1, flag 10800804, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/9.1, 50.60.253.153->10.21.0.241) in vr trust for vsd-0/flag-3000/ifp-ethernet0/8.1
cached route 0 for 10.21.0.241
add route 5 for 10.21.0.241 to route cache table
[ Dest] 5.route 10.21.0.241->10.66.65.241, to ethernet0/8.1
route to 10.66.65.241
cached arp entry with MAC 000000000000 for 10.66.65.241
add arp entry with MAC 00000c9ff5f3 for 10.66.65.241 to cache table
arp entry found for 10.66.65.241
ifp2 ethernet0/8.1, out_ifp ethernet0/8.1, flag 00800805, tunnel ffffffff, rc 1
flow got session.
flow session id 27141
flow_main_body_vector in ifp ethernet0/8.1 out ifp ethernet0/9.1
flow vector index 0x221, vector addr 0x2cee614, orig vector 0x2cee614
vsd 0 is active
post addr xlation: 23.20.152.244->50.60.253.153.
update policy out counter info.
packet send out to 0017dffe7000 through ethernet0/9.1
****** Traffic from source continues to use Internet Interface IP. There is no 'DIP 2' configured.... ********
Any help would be appreciated with the behaviour of this.
#MIP