ScreenOS Firewalls (NOT SRX)
Reply
Contributor
ajay_dand
Posts: 25
Registered: ‎07-24-2008
0

Can I eliminate the need for the router using sub-interfaces?

Hi,

The following is the scenario:

SSG320M-SH with 8-port Ethernet module.

Zones -> Untrust, Trust, DMZ, DMZ2, DMZ3

3 ISPs connected to ISP1 -> Eth0/0, ISP2 -> Eth1/6, ISP3 -> Eth1/7.

Default routes configured with Pref 10, 20 & 30 resp for ISP1, 2 & 3.

Multiple Polcies and VPNs configured, and working fine.

 

Now, the requirement of ISP1 is that the traffic be tagged with dot1q tag 851. Currently, the ISP1s connection is on Ethernet, connected to Cisco Router fa0/1. Fa0/0 connects to SSG320 on eth0/0. To tag the egress traffic towards ISP1, we created sub-interface on Cisco router (the traditional way) and things are working as expected, with ISP failover, VPN, incoming MIP, VIP etc. However, if we try to emulate this (i.e. the Cisco router, by creating sub-interface) on Eth0/0 of SSG, things go haywire. Internet access from Trust to Untrust works fine, but from DMZs it doesn't. POP3 traffice works only from some workstations on Trust, and not at all from the DMZ, where the Internal mail server is located. The outbound DIP IP of the firewall, shows up as that of the sub-interface, and not as that of the physical interface. However, even with the sub-interface configured on eth0/0, the ISP2's links work fine, and when traffic is routed through ISP2, there are no complaints at all. So there seem to be no problems with the poicies. So, the problem is, how do we configure sub-interface on eth0/0 of SSG320, and avoid the problems mentioned above? This is to relieve the router, since that router is required somewhere else, and the customer is not willing to buy another due to the current eco scenario. ;-) I hope I have explained things as clearly as possible.

 

Thanks for help in advance.

 

Ajay.

Distinguished Expert
Screenie
Posts: 1,082
Registered: ‎01-10-2008

Re: Can I eliminate the need for the router using sub-interfaces?

Hi,

 

You should be able to use subinterfaces on the e0 interface without any problem. Two points to consider:

 

- You have to create the subinterface in the untrust zone.

- Natting from the DMZ zone to untrust needs to be done in the policy, doesn't come from  interfacebased NAT. You can choose to NAT behind Egress interface in the policy. In this case the subint's IP will be used, or create a DIP.

 

If you have your own IP range (indepent from the ISPs, but they route to this range) you can create a loop backinterface in the untrust zone and make all interface and subinterface member of the loopbackgroup of this interface. Now you can create your NAT objects (DIP, MIP, VIP) on the loopbackinterface and use it in all your policies. The natting will be indepent for the outgoing interface now.

 

If this post doesn't help you, you could run a debug on the mallfunctioning POP3 session and post the output. It might show what's going on. It's a basic functionallity you're asking for. We can't accept this doesn't work can we ?!

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
ajay_dand
Posts: 25
Registered: ‎07-24-2008
0

Re: Can I eliminate the need for the router using sub-interfaces?

Hi,

 

Thanks for the response. Well, actually, I did try it the way you mention. 

 

However, the issue is not the creation of sub-interface, but the how the routes are defined, and how the egress interface is configured and how NAT is handled. For explanation:

 

eth0/0 --> 202.xxx.yyy.105/29 (LAN IPs issued by the ISP)

eth0/0.1 --> 202.xxx.yyy.102/30 dot1q tag 851 (WAN IP and tag as issued by ISP)

 

route --> 0.0.0.0/0 through eth0/0.1 gw 202.xxx.yyy.101 (Here, if i give the outgoing interface as 0/0 instead of 0/0.1, Internet was not accessible. I suppose, tagging issues??) But when the egress interface is 0/0.1 the NATed IP seen on the outgoing traffic is .102 (as expected, but not as desired). Here everything is in trust-vr.(Now, when this setup is replaced with a Cisco router doing the VLAN tagging, the NAT IP is seen as .105 - that of eth0/0 as expected, AND as desired!)

 

There was a suggestion to leave the eth0/0 as unnumbered, and use .105 as a DIP IP on eth0/0.1, however, that didn't work out, as the firewall does not allow an unnumbered IP on eth0/0 (we didn't try setting it on to DHCP, but I suppose, in the absence of any DHCP server, this would have failed too??) Also, as my understanding of DIP/MIP/VIP goes, the IP used to DIP/MIP/VIP must belong to the subnet of the interface on which it is configured. 

 

So, the issue is, how can we achieve the sub-interface doing the tagging, but the physical interface being the egress interface?? Regarding the POP3 issue: Strangely, when it was configured on without the router, random hosts on the Trust LAN were able to make outgoing POP3 sessions, and download mails, whereas rest were not able to!  But we didn't try getting the debugs, since it started working fine, the moment we removed the sub-interface and configured the router for VLAN tagging.

 

Hope this makes things clearer. Thanks for help in advance.

 

 Regards,

 

Ajay.

Distinguished Expert
Screenie
Posts: 1,082
Registered: ‎01-10-2008
0

Re: Can I eliminate the need for the router using sub-interfaces?

Ah you con use just the physical link of e0 by move the e0 interface to null zone. After that you can still create a subint (in untrust zone) and make all traffic tagged.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
ajay_dand
Posts: 25
Registered: ‎07-24-2008
0

Re: Can I eliminate the need for the router using sub-interfaces?

Hi,

 

Thanks for the response. Before trying your suggestion, just a small clarification required. If I move the physical int e0/0 into the null zone, can I still apply IP address & do MIP through that Interface? If not, can I use the public IPs assigned by ISP for LAN on the sub-interface? 

 

Regards,

Distinguished Expert
Screenie
Posts: 1,082
Registered: ‎01-10-2008
0

Re: Can I eliminate the need for the router using sub-interfaces?

Once you moved the interface to the NULL zone you can't use it at all with the  exception of creating subinterfaces. If you need to connections, one tagged, one untaged, you place both the interface and it subinterface in the untrust zone and give them the addresses and MIP's VIP's you need. traffic going out through the main interface (ethernet0/0) will be untagged, Traffic going out through your sub int (ethernet0/0.1) will be tagged with the tag value you specified in the subint definition.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.