Screen OS

Hello,

I'm fairly new to netscreens and this is my first post. I'm experiencing issues running dip and mip for my route based site to site VPN setup between a Netscreen and a remote site Cisco ASA. I've drawn up a diagram that hopefully makes sense. See attached.

So far I have managed to get the tunnel up (phase 1 and 2 up/active). Tunnel.1 is binded to the VPN. The DIP (green - outbound flow 1 - see diagram) is also working OK (i.e. I can ping from 1.1.1.1 to remote end inside 192.168.1.1).

However with the traffic associated with the MIP (maroon - inbound flow 2 - see diagram) I can see the icmp traffic leaving the remote ASA but being denied on the netscreen firewall as follows:

Juniper(M)-> get log traffic src-ip 192.168.1.2
PID 22, from Global to Global, src Any, dst Any, service ANY, action Deny
============================================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID In Interface
Reason                Protocol Xlated Src IP    Port Xlated Dst IP    Port ID       PID       Out Interface
============================================================================================================
                                0:00:00 192.168.1.2     43018 192.168.1.65      512 ICMP            0    tunnel.1
Traffic Denied               1 0.0.0.0             0 0.0.0.0             0                22                      ethernet1/1.2
                                0:00:00 192.168.1.2     42762 192.168.1.65      512 ICMP            0    tunnel.1
Traffic Denied               1 0.0.0.0             0 0.0.0.0             0                22                        ethernet1/1.2
Total entries matched = 2

Snippet of the configuration on the netscreen:

set vpn "VPN" proxy-id local-ip 192.168.1.64/26 remote-ip 192.168.1.0/26 "ANY"

set vrouter "untrust-vr"

set route 192.168.1.0/26 interface tunnel.1

set vrouter "Trust-vr"

set route 192.168.1.0/26 vrouter "untrust-vr" preference 20

set interface "tunnel.1" zone "Untrust"

set interface tunnel.1 ip unnumbered interface ethernet1/0

set interface tunnel.1 ext ip 192.168.1.65 255.255.255.192 dip 1 192.168.1.66 192.168.1.126

set dip sticky

set interface "ethernet1/0" mip 192.168.1.65 host 1.1.1.2 netmask 255.255.255.255 vr "Trust-vr"

set policy id 1 from "Trust-vr" to "Untrust" "host_1.1.1.1" "host_192.168.1.1" "ICMP-ANY" nat src dip-id 1 permit log

set policy id 2 from "Untrust" to "Trust-vr" "host_192.168.1.2" "MIP(192.168.1.65)" "ICMP-ANY" permit log

Is it OK to configure the MIP to use the untrust/outside interface or should I associate the MIP to the tunnel interface as I have with the DIP?

For the MIP Is it OK to use the same address as the DIP ext ip?

Any help much appreciated.

Thanks,

John

Attachment(s)

MIP & DIP.pdf   96 KB 1 version

Hi,

You should define the MIP on the tunnel interface. The MIP should not conflict with the "ext ip 192.168.1.65" as the last is not a secondary IP of any interface nor a DIP.

Hi John,

I mean that "ext ip 192.168.1.65" is free of the limitations typical for an interface primary or secondary IP. It can be used as a DIP while the interface IP cannot. The command

set interface tunnel.1 ext ip 192.168.1.65 255.255.255.192 dip 1  192.168.1.65    192.168.1.126

is fully OK.

If you define the DIP this way:

set interface tunnel.1 ext ip 192.168.1.65 255.255.255.192 dip 1 192.168.1.66 192.168.1.126

the IP 192.168.1.65 can be used as a MIP (no overlapping with the DIP .66-.126).

I stressed this because the "ext ip" is often wrongly understood as a secondary IP for the given interface.

So, both variants will work.

If NAT in the VPN tunnel is required I usually use the numbered tunnel interface.

Thank you for your help. I verified this in my home lab and got it working.