Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

    Posted 02-01-2019 02:45

    Hi I've got a MIP configured on a netscreen (v6.3) firewall, the inbound traffic works fine but when traffic from the internal host leaves to the internet, it doesn't use the MIP external IP Address but the WAN egress interface IP.

     

    I thought that MIPs were bidirectional and i've made sure to have policies in both directions. I've tried other policy combinations that result in the main DIP being used. 

     

    I've Included some output below:

     

    #### Inbound Policy ####
    set interface "loopback.2" mip 80.100.133.185 host 10.21.0.241 netmask 255.255.255.255 vr "trust"
    set policy id 28 name "IPSec-80-100-133-185" from "untrust" to "trust" "Any" "MIP(80.100.133.185)" "IPSec" permit log
    set policy id 28
    set service "UDP-4500"
    set service "UDP-500"
    set log session-init
    exit

    ### Outbound Policy ###
    set policy id 63 name "IPSec-Any-DST" from "trust" to "untrust" "10.21.0.241/32" "Any" "IPSec" permit log
    set policy id 63
    set service "UDP-4500"
    set service "UDP-500"
    exit


    ### Interfaces ###
    set interface ethernet0/8.1 ip 10.66.65.246/29
    set interface ethernet0/8.1 nat
    set interface ethernet0/9.1 ip 23.20.152.244/31
    set interface ethernet0/9.1 route
    set interface ethernet0/9.1 mtu 1500


    ### Flow Basic ###

    ****** 60353039.0: <trust/ethernet0/8.1> packet received [212]******
    ipid = 15211(3b6b), @1d680118
    packet passed sanity check.
    flow_decap_vector IPv4 process
    ethernet0/8.1:10.21.0.241/500->50.60.253.153/500,17<Root>
    no session found
    flow_first_sanity_check: in <ethernet0/8.1>, out <N/A>
    chose interface ethernet0/8.1 as incoming nat if.
    flow_first_routing: in <ethernet0/8.1>, out <N/A>
    search route to (ethernet0/8.1, 10.21.0.241->50.60.253.153) in vr trust for vsd-0/flag-0/ifp-null
    cached route 0 for 50.60.253.153
    add route 20 for 50.60.253.153 to route cache table
    [ Dest] 20.route 50.60.253.153->23.20.152.245, to ethernet0/9.1
    routed (x_dst_ip 50.60.253.153) from ethernet0/8.1 (ethernet0/8.1 in 0) to ethernet0/9.1
    policy search from zone 101-> zone 102
    policy_flow_search policy search nat_crt from zone 101-> zone 102
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 50.60.253.153, port 500, proto 17)
    No SW RPC rule match, search HW rule
    *** swrs_search_ip: policy matched id/idx/action = 63/23/0xd ***
    *** Permitted by policy 63 ***
    *** interface-nat dip id = 2, 10.21.0.241/500->23.20.152.244/3241 ***
    choose interface ethernet0/9.1 as outgoing phy if
    check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/9.1
    vsd 0 is active
    no loop on ifp ethernet0/9.1.
    session application type 54, name None, nas_id 0, timeout 60sec
    ALG vector is not attached
    service lookup identified service 0.
    flow_first_final_check: in <ethernet0/8.1>, out <ethernet0/9.1>
    existing vector list 221-2cee614.
    Session (id:27141) created for first pak 221
    flow_first_install_session======>
    route to 23.20.152.245
    cached arp entry with MAC 000000000000 for 23.20.152.245
    arp entry found for 23.20.152.245
    ifp2 ethernet0/9.1, out_ifp ethernet0/9.1, flag 10800804, tunnel ffffffff, rc 1
    outgoing wing prepared, ready
    handle cleartext reverse route
    search route to (ethernet0/9.1, 50.60.253.153->10.21.0.241) in vr trust for vsd-0/flag-3000/ifp-ethernet0/8.1
    cached route 0 for 10.21.0.241
    add route 5 for 10.21.0.241 to route cache table
    [ Dest] 5.route 10.21.0.241->10.66.65.241, to ethernet0/8.1
    route to 10.66.65.241
    cached arp entry with MAC 000000000000 for 10.66.65.241
    add arp entry with MAC 00000c9ff5f3 for 10.66.65.241 to cache table
    arp entry found for 10.66.65.241
    ifp2 ethernet0/8.1, out_ifp ethernet0/8.1, flag 00800805, tunnel ffffffff, rc 1
    flow got session.
    flow session id 27141
    flow_main_body_vector in ifp ethernet0/8.1 out ifp ethernet0/9.1
    flow vector index 0x221, vector addr 0x2cee614, orig vector 0x2cee614
    vsd 0 is active
    post addr xlation: 23.20.152.244->50.60.253.153.
    update policy out counter info.
    packet send out to 0017dffe7000 through ethernet0/9.1


    ****** Traffic from source continues to use Internet Interface IP. There is no 'DIP 2' configured.... ********

     

     

    Any help would be appreciated with the behaviour of this. 

     

     


    #MIP


  • 2.  RE: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.
    Best Answer

    Posted 02-01-2019 02:48

    You will need to create the MIP on interface 9.1 instead of the loopback interface.

     



  • 3.  RE: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

    Posted 02-01-2019 02:57

    Thank you so much, I had a feeling about that but I am new to the netscreens so wasn't sure. It's something that wasn't obvious to me from documentation Smiley Happy

     

    Me and many many others on this forum appreciate your help

     

    I'll let you know after I get around to testing this!



  • 4.  RE: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

    Posted 02-01-2019 03:24

    Just another question please, I've got my other VIP configured like this, will those behave in the same way?? Smiley Mad

     

    I will ensure that routes are in place to the internal destination (mapped IP)

     

    Sorry if this is asking too much. 

     

    set interface "loopback.2" zone "untrust"
    set interface loopback.2 ip 80.100.133.161/27
    set interface loopback.2 route
    set interface loopback.2 manage ping
    set interface loopback.2 vip 80.100.133.170 443 "HTTPS" 10.0.99.211
    set interface loopback.2 vip 80.100.133.170 + 4172 "TCP-UDP-4172" 10.0.99.211
    set interface "loopback.2" mip 80.100.133.162 host 10.21.0.211 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.162 host 10.21.0.211 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.163 host 10.21.0.212 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.184 host 10.21.0.237 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.182 host 10.21.0.235 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.183 host 10.21.0.240 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.179 host 10.21.0.224 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.177 host 10.21.0.233 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.180 host 10.21.0.230 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.178 host 10.21.0.229 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.185 host 10.21.0.241 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.186 host 10.21.0.251 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.170 host 10.21.0.190 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.171 host 10.21.0.191 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.172 host 10.21.0.192 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.173 host 10.21.0.193 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.174 host 10.21.0.200 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.164 host 10.21.0.201 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.165 host 10.21.0.202 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.166 host 10.21.0.203 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.167 host 10.21.0.204 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.168 host 10.21.0.205 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.169 host 10.21.0.207 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.175 host 10.21.0.215 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.176 host 10.21.0.216 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.187 host 10.21.0.206 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.188 host 10.21.0.217 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.189 host 10.21.0.218 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.190 host 10.21.0.219 netmask 255.255.255.255 vr "trust"
    set interface "loopback.2" mip 80.100.133.181 host 10.21.0.220 netmask 255.255.255.255 vr "trust"



  • 5.  RE: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

    Posted 02-01-2019 14:03

    Yes, the MIP and VIP should be placed on the ingress interface.