Management
Reply
Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

policy with MIPs are modifed after import into NSM 2008.1r1

I am running the following:

SSG-5-serial - screenos 6.1.0r3.0~av-k

NSMXpress - 2008.1r1

 

the problem that i am experiencing is this:   after modelling the SSG-5, when i compare the policys on the device with the policys in NSM, they are different. i have two policys that have a MIP as the destination, and they are two different MIPs: x.x.x.16 and y.y.y.215.  here they are, from the cli configuration:

 

set policy id 7 name "Inbound" from "Untrust" to "DZONE1"  "Any" "MIP(x.x.x.56)" "POP3" permit

set policy id 16 name "SSL-VPN" from "Untrust" to "DZONE2"  "Any" "MIP(y.y.y.215)" "HTTPS" permit log

 

interface ethernet0/0  is bound to the Untrust zone, and has an address of y.y.y.213/28.

 

here is the problem, the rules that exist in NSM are as follows:

 

id    from      src    to        dest              svc     action    options
7    untrust    any    DZONE1    mip(x.x.x.56/32)  pop3    permit
16   untrust    any    DZONE2    mip(x.x.x.56/32)  https   permit    log

 

 as you can see, policy 16 has been modified to include incorrect MIP.    when i try use modify the rule in NSM, my y.y.y.215 MIP doesn't appear in the "add addresses" pick-box; however, if, i navigate to Devices->MyDevice->Interfaces->ethernet0/0->Nat->MIPs, both of the MIPs show up here.....

 

so as you can see, i am quite confused.

 

 stine

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: policy with MIPs are modifed after import into NSM 2008.1r1

Hi,

 

You need to have a global MIP defined on NSM so that it can use it in the polcies otherwise it wont show up in the list.

 

object manager > nat objects > global MIP > New MIP.

 

It will get you to reference the MIP on the device so that it can be used in the policy.

 

For more information have a look in the NSM manual

 

www.juniper.net/techpubs

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: policy with MIPs are modifed after import into NSM 2008.1r1

ok, manually adding the 2nd global mip did allow me to fix the firewall rule in NSM, and it no longer shows up in the delta config, but i have not pushed the policy to the SSG-5 yet.

 

on the firewall, the two mips ARE defined, as below, so i'd really like to know why only one of them was loaded into NSM.

 

set interface "ethernet0/0" mip x.x.x.56 host z.z.z.200 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip y.y.y.215 host y.y.y.38 netmask 255.255.255.255 vr "trust-vr"

 

and i guess my next question is:  if NSM didnt import it correctly, how do i know it is going to write it to the device correctly???

 

also, where in the NSM 2008.1 admin guide does it indicate that MIPs are not imported correctly?

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: policy with MIPs are modifed after import into NSM 2008.1r1

[ Edited ]

Hi,

 

From what you seem to be saying the MIP was imported correcly into NSM for the device config, but what didnt happen was the Global MIP wasn't created so that it couldn't be used for a policy. 

 

Was the MIP being used by a policy on the firewall when you imported it into NSM??

 

If the MIP wasn't being used then NSM probably didnt create the global MIP as there was no need to at the time because it wasnt being used by a policy.

 

 

The delta config shows you what is going to be sent to the device when you do a device update from NSM. So long as your not seeing anything that will be added or removed that you think shouldn't then everything should be fine. If you are concerned, take a backup of the config from the firewall and then update the device.

 

Just answered my question, the MIP as in use, just re read your first message. Not sure why it wasnt added then, I have not tried Importing a device in 2008.1 yet. Might be worth opening a case with Juniper or seeing if someone else on here can test if they have got 2008.1 setup.

 

Regards

 

Andy

Message Edited by AndyC on 08-30-2008 03:04 PM
JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Juniper Employee
ItCrowd06
Posts: 10
Registered: ‎02-18-2008
0

Re: policy with MIPs are modifed after import into NSM 2008.1r1

The NSM patch 2008.1 "c2" is available for download for customers.

It addresses a few serious regressions which are affecting customers who uses MIP/VIP or customers with two or more 0.0.0.0/0 (default) routes.

The patch is server-only (no need for a new UI client)

 

Linux:

https://download.juniper.net/software/spg/nsm/LGB10z1c2/nsm2008.1r1c2_servers_linux_x86.zip

Solaris:

https://download.juniper.net/software/spg/nsm/LGB10z1c2/nsm2008.1r1c2_servers_sol_sparc.zip

 

The list of ScreenOS device related fixes are:

---------------------------------------

307611 VIP's not getting imported in NSM properly

308058 NSM 2008.1 - NSM unsetting and setting RIP option on sub interface for every

308481 NSM unsetting default route

309628 SSG520 with multiple mips in policies all have the same mip when imported into

309635 NSM 2008.1r1 is not importing MIP's into Global NAT Objects

 

Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: policy with MIPs are modifed after import into NSM 2008.1r1

thanks, i'll apply it and see.

 

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.