ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Bart
Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0
Accepted Solution

1 to 1 NAT-Dst + Dip: for self but not interested

Options

‎08-21-2009 12:57 AM

Hi,

 

I'm running into a nat mess on the netscreen.

where running the latest build of 6.1.

 

The situation requires us to nat a server for specific flows outbound (using DIP) & inbound (using policy dst-nat) .

a MIP cannot be used as it would translate all traffic, which will break certain flows.

 

when we configured both the DIP & the policy dst-nat the DIP policies where working but not the dst nat.

In the log you could see:

****** 114826.0: <FW/ethernet0/2> packet received [48]******
  ipid = 5353(14e9), @2d6a6110
  packet passed sanity check.
  ethernet0/2:x.x.x.x/4080->y.y.y.y/80,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  packet dropped: for self but not interested

 

Is this kind of configuration supported? A policy dst nat with the same ip of a dip ?

 

tnx for the replies!

 

Message 1 of 4 (4,586 Views)
 
Reply
Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009
0

Re: 1 to 1 NAT-Dst + Dip: for self but not interested

Options

‎08-21-2009 01:52 AM

Hi Bart,

 

You are probably using 6.1r5.

There was a fix that was commited in this release that disabled nat-dst to be used for the addresses that have DIP defined.

You can find this in release notes for 6.1r5:

 

 

This has been fixed in 6.1r6 so now you can again have the configuration that you have mentioned:

 

Please upgrade to 6.1r6.

 

Thanks,

Nemanja

 

Message 2 of 4 (4,579 Views)
 
Reply
Bart
Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0

Re: 1 to 1 NAT-Dst + Dip: for self but not interested

Options

‎08-21-2009 02:08 AM

Hi Nemanja,

 

You are correct, we are using r5.

I opened the release notes of r5 & r6 , but I cannot find this info? Can you provide me with a bugid ?

 

Much appreciated,

 

Bart

Message 3 of 4 (4,577 Views)
 
Reply
Trusted Contributor
Nemanja
Posts: 23
Registered: ‎03-17-2009

Re: 1 to 1 NAT-Dst + Dip: for self but not interested

Options

‎08-21-2009 02:37 AM

Hi Bard,

 

In 6.1r5 this is the fix that brakes the functionallity:

■ 308572—Pinging a DIP IP address results in routing loop with upstream device.

 

 

Unfortunatelly in 6.1r6  release notes it is not stated that it is again possible to combine dip and nat-dst for the same address in the config. But I know that it is fixed :smileyhappy:

 

 

Thanks,

Nemanja

Message 4 of 4 (4,570 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.