ScreenOS Firewalls (NOT SRX)
Reply
Contributor
NOC_NOC
Posts: 26
Registered: ‎08-25-2008
0

Behaviour of MIP even no policy exists for the zone where the IP resides

Dear All, I have little problem regarding MIP. As MIP is in Global zone. I have three interfaces.

 

e1/1 trust 172.16.14.253/24

e1/2 DMZ 172.16.13.254/24

e1/3 Untrust 202.125.152.253/24

 

I have MIP-203.135.39.183 Host-IP-172.16.16.18 This Host IP is placed behind Trust zone and route is available in ISG. Now i writre the policy from Untrust to DMZ any to MIP(203.135.39.183) any any any permit. Now i am able to access the Host IP which is in the TRUST zone when i try to access MIP 203.135.39.183. Now problem is this that there is no policy exists from Untrust to trust for MIP,  even there is no policy to access MIP from Untrust to trust but i can access the the MIP-203.135.39.183 and i can see the translation in the policy log of from untrust to DMZ. it shows the destination IP 203.135.39.183 and destination translation IP 172.16.16.18. It is working fine even if there is no policy from untrust to trust for MIP, but the policy exists from Untrust to DMZ. it means we can access the MIP if policy exists for any  zone except the zone where it resides.  

I just want that MIP should be accessible for particular zone if there is policy exists for that zone. if there is no policy for untrust to trust for MIP then it should not be accessible from Untrust to DMZ. Is it possible for Please explain this behaviour of MIP.

 

Regards,

 

NOC

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

a MIP is bidirectional. So address translation is done in both directions. You define the MIP on the "outward facing" interface, normaly untrust. For the inbound policy you define a policy from untrust to destinationzone any MIP(IP) service permit log. For the outbound you define a "normal"permit policy. Address translation will be done in both direction now. If there's a third zone involved you can define a policy from thirdzone to unrust with the public addres as destination. When you connect to this IP the traffic will be passed through the MIP to the host.

 

Does this answer you question? 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
NOC_NOC
Posts: 26
Registered: ‎08-25-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Dear Screenie,

         I think you didn't understand my question. Question is that if there is no policy from untrust to trust exist for MIP (IP1). and there is only one policy exist from untrust to DMZ for MIP (IP1) then why we can access the MIP whose host IP (IP1) is places in trust zone. We can also see translation in policy log from untrust to DMZ exactly same we required.

 

Why it is accessible from Untrust to DMZ policy while machine is reside in Trust Zone. and there is no policy from Untrust to Trust.

 

Regards,

 

NOC   

Trusted Contributor
Tica
Posts: 63
Registered: ‎02-06-2009
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Hello,

 

Is it possible to have an extract of your configuration? 

 

I think you already defined a global policy where you used that MIP. 

In that case your translation is done on that rule, and it will also allow your traffic

 

-Tim

Contributor
NOC_NOC
Posts: 26
Registered: ‎08-25-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Dear Tim,

     There is no global policy exist. Output is as under.

 

ISG2k02(M)-> get policy global
No global policies, Default deny.

 

     We tried on another firewall (SSG550) same behavior. and also no global policy exist there on SSG550.

 

Regards

 

NOC

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Got the question now! sorry. MIP (as VIP) is somewhat strange in behaviour. The MIP is placed in global address book, visable as destination in all zones. The actual zone the traffic is sent to is based upon the hostadress in the MIP definition. So yes you can screw up your policies for the look of it and define access to MIP from untrust to DMZ while the actual host is in trust and traffic will be granted. Of course it's your responsibility as a admin to avoid this.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
NOC_NOC
Posts: 26
Registered: ‎08-25-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Dear Screenie

 

          Kindly let me know, how to avoid this.

 

Regards,

 

NOC

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

The source zone is respected of course. So just wirte the policy from the source zone to the destination where the actual hosts exists, then there isn't any problem is there?

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.