Hi All,
Its been while since I last posted (which is a good thing) but now I have come upon an interesting problem. For many years I have done PBR to redirect http traffic to squiid proxy servers. The last step on the proxy has always been to translate port 80 to port 8080 for squid.
I now have new servers in place that have complicated messing with IP tables to do this kind of redirection. Searching the internet I find this https://kb.juniper.net/InfoCenter/index?page=content&id=KB24139&cat=FIREWALL_IPSEC_VPN&actp=LIST&smlogin=true
Instruction on how to use Destination Translation or NAT DST in a policy to handle the redirection of traffic to the right IP and port.
It does not work 😞 So now I come to you with hopes of finding the best way to trouble shoot the issue. I did a debug flow but can not see (or do not understand) what the problem is. If you can spot my error I would greatly appreciate it. See debug log below.
If I have missed anything or if more information is needed just let me know.
~~~
Remote Management Console
login: it-management
password:
MIL0803-Westbroward-> unset policy 21
MIL0803-Westbroward-> set ff src-ip 10.8.2.15 dst-ip 74.125.229.208
filter added
MIL0803-Westbroward-> debug flow basic
MIL0803-Westbroward-> debug flow drop
MIL0803-Westbroward-> clear db
MIL0803-Westbroward-> undebug all
MIL0803-Westbroward-> get db str
MIL0803-Westbroward->
MIL0803-Westbroward->
MIL0803-Westbroward-> debug flow basic
MIL0803-Westbroward-> undebug all
MIL0803-Westbroward->
MIL0803-Westbroward-> get db str
****** 184824.0: <Trust/ethernet1> packet received [48]******
ipid = 16946(4232), @c7d02910
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 10.8.2.15->74.125.229.208) in vr trust-vr for vsd-
0/flag-0/ifp-null
PBR lookup params: dst-ip: 74.125.229.208, src-ip: 10.8.2.15, dst-port: 80, src-
port: 1440, protocol: 6, dscp: 0
[PBR route] 1.route 74.125.229.208->10.8.2.10, to ethernet1
routed (x_dst_ip 74.125.229.208) from ethernet1 (ethernet1 in 0) to ethernet1
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.1
25.229.208, port 80, proto 6)
No SW RPC rule match, search HW rule
Permitted by policy 28
DST xlate: 74.125.229.208(80) to 10.8.2.10(8080)
search route to (ethernet1, 10.8.2.15->10.8.2.10) in vr trust-vr for vsd-0/fla
g-0/ifp-null
PBR lookup params: dst-ip: 10.8.2.10, src-ip: 10.8.2.15, dst-port: 8080, src-por
t: 1440, protocol: 6, dscp: 0
PBR: no route to (10.8.2.10) in vr trust-vr
[ Dest] 1.route 10.8.2.10->10.8.2.10, to ethernet1
routed (10.8.2.10) from ethernet1 (ethernet1 in 0) to ethernet1
No src xlate choose interface ethernet1 as outgoing phy if
no loop on ifp ethernet1.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1>, out <ethernet1>
existing vector list 103-40630f0.
Session (id:31672) created for first pak 103
flow_first_install_session======>
route to 10.8.2.10
arp entry found for 10.8.2.10
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet1, 10.8.2.10->10.8.2.15) in vr trust-vr for vsd-0/fla
g-3000/ifp-ethernet1
PBR lookup params: dst-ip: 10.8.2.15, src-ip: 10.8.2.10, dst-port: 1440, src-por
t: 8080, protocol: 6, dscp: 0
PBR: no route to (10.8.2.15) in vr trust-vr
[ Dest] 1.route 10.8.2.15->10.8.2.15, to ethernet1
route to 10.8.2.15
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
****** 184827.0: <Trust/ethernet1> packet received [48]******
ipid = 17487(444f), @c7d17910
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
existing session found. sess token 4
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
****** 184833.0: <Trust/ethernet1> packet received [48]******
ipid = 18589(489d), @c7d0b110
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
existing session found. sess token 4
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
MIL0803-Westbroward->