08-21-2009 12:57 AM
I'm running into a nat mess on the netscreen.
where running the latest build of 6.1.
The situation requires us to nat a server for specific flows outbound (using DIP) & inbound (using policy dst-nat) .
a MIP cannot be used as it would translate all traffic, which will break certain flows.
when we configured both the DIP & the policy dst-nat the DIP policies where working but not the dst nat.
In the log you could see:
****** 114826.0: <FW/ethernet0/2> packet received ******
ipid = 5353(14e9), @2d6a6110
packet passed sanity check.
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
packet dropped: for self but not interested
Is this kind of configuration supported? A policy dst nat with the same ip of a dip ?
tnx for the replies!
Solved! Go to Solution.
08-21-2009 01:52 AM
You are probably using 6.1r5.
There was a fix that was commited in this release that disabled nat-dst to be used for the addresses that have DIP defined.
You can find this in release notes for 6.1r5:
This has been fixed in 6.1r6 so now you can again have the configuration that you have mentioned:
Please upgrade to 6.1r6.
08-21-2009 02:08 AM
You are correct, we are using r5.
I opened the release notes of r5 & r6 , but I cannot find this info? Can you provide me with a bugid ?
08-21-2009 02:37 AM
In 6.1r5 this is the fix that brakes the functionallity:
■ 308572—Pinging a DIP IP address results in routing loop with upstream device.
Unfortunatelly in 6.1r6 release notes it is not stated that it is again possible to combine dip and nat-dst for the same address in the config. But I know that it is fixed