policy with MIPs are modifed after import into NSM 2008.1r1

stine · ‎05-05-2008

I am running the following:

SSG-5-serial - screenos 6.1.0r3.0~av-k

NSMXpress - 2008.1r1

the problem that i am experiencing is this: after modelling the SSG-5, when i compare the policys on the device with the policys in NSM, they are different. i have two policys that have a MIP as the destination, and they are two different MIPs: x.x.x.16 and y.y.y.215. here they are, from the cli configuration:

set policy id 7 name "Inbound" from "Untrust" to "DZONE1" "Any" "MIP(x.x.x.56)" "POP3" permit

set policy id 16 name "SSL-VPN" from "Untrust" to "DZONE2" "Any" "MIP(y.y.y.215)" "HTTPS" permit log

interface ethernet0/0 is bound to the Untrust zone, and has an address of y.y.y.213/28.

here is the problem, the rules that exist in NSM are as follows:

id   from      src   to        dest              svc     action   options
7   untrust   any   DZONE1   mip(x.x.x.56/32) pop3   permit
16   untrust   any   DZONE2   mip(x.x.x.56/32) https   permit   log

as you can see, policy 16 has been modified to include incorrect MIP. when i try use modify the rule in NSM, my y.y.y.215 MIP doesn't appear in the "add addresses" pick-box; however, if, i navigate to Devices->MyDevice->Interfaces->ethernet0/0->Nat->MIPs, both of the MIPs show up here.....

so as you can see, i am quite confused.

stine

Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL

AndyC · ‎07-08-2008

Hi,

You need to have a global MIP defined on NSM so that it can use it in the polcies otherwise it wont show up in the list.

object manager > nat objects > global MIP > New MIP.

It will get you to reference the MIP on the device so that it can be used in the policy.

For more information have a look in the NSM manual

www.juniper.net/techpubs

Regards

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER

stine · ‎05-05-2008

ok, manually adding the 2nd global mip did allow me to fix the firewall rule in NSM, and it no longer shows up in the delta config, but i have not pushed the policy to the SSG-5 yet.

on the firewall, the two mips ARE defined, as below, so i'd really like to know why only one of them was loaded into NSM.

set interface "ethernet0/0" mip x.x.x.56 host z.z.z.200 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip y.y.y.215 host y.y.y.38 netmask 255.255.255.255 vr "trust-vr"

and i guess my next question is: if NSM didnt import it correctly, how do i know it is going to write it to the device correctly???

also, where in the NSM 2008.1 admin guide does it indicate that MIPs are not imported correctly?

Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL

AndyC · ‎07-08-2008

Hi,

From what you seem to be saying the MIP was imported correcly into NSM for the device config, but what didnt happen was the Global MIP wasn't created so that it couldn't be used for a policy.

Was the MIP being used by a policy on the firewall when you imported it into NSM??

If the MIP wasn't being used then NSM probably didnt create the global MIP as there was no need to at the time because it wasnt being used by a policy.

The delta config shows you what is going to be sent to the device when you do a device update from NSM. So long as your not seeing anything that will be added or removed that you think shouldn't then everything should be fine. If you are concerned, take a backup of the config from the firewall and then update the device.

Just answered my question, the MIP as in use, just re read your first message. Not sure why it wasnt added then, I have not tried Importing a device in 2008.1 yet. Might be worth opening a case with Juniper or seeing if someone else on here can test if they have got 2008.1 setup.

Regards

Andy

Message Edited by AndyC on 08-30-2008 03:04 PM

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER

ItCrowd06 · ‎02-18-2008

The NSM patch 2008.1 "c2" is available for download for customers.

It addresses a few serious regressions which are affecting customers who uses MIP/VIP or customers with two or more 0.0.0.0/0 (default) routes.

The patch is server-only (no need for a new UI client)

Linux:

https://download.juniper.net/software/spg/nsm/LGB10z1c2/nsm2008.1r1c2_servers_linux_x86.zip

Solaris:

https://download.juniper.net/software/spg/nsm/LGB10z1c2/nsm2008.1r1c2_servers_sol_sparc.zip

The list of ScreenOS device related fixes are:

---------------------------------------

307611 VIP's not getting imported in NSM properly

308058 NSM 2008.1 - NSM unsetting and setting RIP option on sub interface for every

308481 NSM unsetting default route

309628 SSG520 with multiple mips in policies all have the same mip when imported into

309635 NSM 2008.1r1 is not importing MIP's into Global NAT Objects

stine · ‎05-05-2008

thanks, i'll apply it and see.

Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL

policy with MIPs are modifed after import into NSM 2008.1r1

Re: policy with MIPs are modifed after import into NSM 2008.1r1

Re: policy with MIPs are modifed after import into NSM 2008.1r1

Re: policy with MIPs are modifed after import into NSM 2008.1r1

Re: policy with MIPs are modifed after import into NSM 2008.1r1

Re: policy with MIPs are modifed after import into NSM 2008.1r1