Screen OS

Hello,

I am trying NATing from trust to untrust but DIP is not working as desired. Help is requested, please. The details are given below:

ISG 1000 version 3010(0)

ScreenOS 6.3.0r16.0 (Firewall+VPN)

get interface eth1/1:

================

Interface ethernet1/1(VSI):
  description ethernet1/1
  number 7, if_info 229320, if_index 0, mode route
  link up, phy-link up/full-duplex, admin status up
  status change:1, last change:02/06/2014 23:30:01
  vsys Root, zone Trust, vr trust-vr, vsd 0
  dhcp client disabled
  ip 10.0.11.1/28   mac 0010.dbff.2070
  manage ip 10.0.11.11, mac 001b.c06e.1d87
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP disabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy enabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  NSGP disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 1000Mbps, configured 270Mbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled

get dip:

======

Dip Id  Dip Low          Dip High         Interface       Attribute    Usage
  12    111.68.101.82    111.68.101.82    ethernet1/3.22  port-xlate   n/a
Port-xlated dip stickness on
DIP pool utilization alarm: disabled, raise threshold 0%, clear threshold 0%

Output of Debug Flow Basic:

=======================

**st: <Trust|ethernet1/1|Root|0> 499c118: 0:10.200.13.9/5e67->8.8.8.8/1,1,84
****** 40832.0: <Trust/ethernet1/1> packet received [84]******
  ipid = 0(0000), @0499c118
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet1/1:10.200.13.9/1->8.8.8.8/24167,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet1/1>, out <N/A>
  chose interface ethernet1/1 as incoming nat if.
  flow_first_routing: in <ethernet1/1>, out <N/A>
  search route to (ethernet1/1, 10.200.13.9->8.8.8.8) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 0 for 8.8.8.8
  add route 39 for 8.8.8.8 to route cache table
  [ Dest] 39.route 8.8.8.8->111.68.97.193, to ethernet1/3.21
  routed (x_dst_ip 8.8.8.8) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/3.21
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.8.8, port 1650, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x9
  Permitted by policy 1
  dip alloc failed. dip_id = 0
  packet dropped, dip alloc failed

===================

Regards.

Thanks for the detailed information.

Your issue appears to be that the dip is created on interface 1/3.22 but your egress interface is 1/3.21.

Nat occurs on the egress interface.  You will need to delete the current dip and create this on interface 1/3.21

Oh that's why there is only one IP subnet is effective if I set to use egress port IP in the policy advance settings but it is from eth1/3.20. Wow...Thanks. But now I tell you the whole scenario.

Actually, we have got different IP pools from different ISPs and all connections are being tagged before entering into the firewall. In Routing, I have assigned the same preference to the default routes provided by these ISPs/sub-Interfaces. I cannot assign one IP pool to a sub-interface other than its own. I have checked that default interface for zone 'Untrust' is ethernet1/3.101, which is neither being used by the firewall as default egress interface IP.

Can you please help me how can I use all sub-interfaces at the same time based on policies?

get zone untrust:

=============

Zone name: Untrust, id: 1, type: Security(L3), vsys: Root, vrouter:trust-vr
Intra-zone block: On, attrib: Shared, flag:0x6491
TCP non SYN send reset: Off
IP/TCP reassembly for ALG on traffic from/to this zone: No
Asymmetric vpn: Disabled
Policy Configurable: Yes
PBR policy: None
Interfaces bound:5. Designated ifp is ethernet1/3.101
interface ethernet1/3.101(0x24949410)
interface ethernet1/3.20(0x24944d60)
interface ethernet1/3.200(0x24949640)
interface ethernet1/3.21(0x24948fb0)
interface ethernet1/3.22(0x249491e0)
IP classification disabled

DHCP relay enabled

In continuation to above message...

I am confident that I have configured the DIP on the correct sub-if but is selecting a different one. Any idea why is it so?

get inter eth1/3.22:

===============

Interface ethernet1/3.22(VSI):
  description ethernet1/3.22
  number 9, if_info 295016, if_index 22, VLAN tag 22, mode route
  link up, phy-link up/full-duplex, admin status up
  vsys Root, zone Untrust, vr trust-vr, vsd 0
  dhcp client disabled
  ip 111.68.101.2/24   mac 0010.dbff.2090
  manage ip 0.0.0.0, mac 001b.c06e.1d89
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  NSGP disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 0Mbps, configured 0Mbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled

=========================

Regards.

I'm not sure I am visualizing your topology correctly.  But it sounds to me like you have a routing issue if you are sure the egress interface for the traffic is NOT correct.

The way packet flow works is route look up is done early as you saw in the debug flow.  Based on the route look up ScreenOS selects the egress interface and from this selection then determines the destination zone of the traffic.

It sounds like you are saying this selection is incorrect.  That necessarily means your route table is not what you want it to be.  So you need to start the troubleshooting there.

You also mention you have multiple default routes at the same metric/preference.  You probably need to change some settings for this to work as you desire.

Without any configuration with two default routes this way the first one installed will be used as the tie breaker on the metric and preference being equal.  I'm sure you don't want this scenario.

Your next option is to enable ECMP (equal cost multi path).  This will round robin requests between the two routes on a per session basis.  You may also NOT want this behavior depending on how you are using the multiple default routes, as you can't control which one is next in the rotation.

You may want to create a virtual router for each ISP with a default route.  Then you can structure your routing policy to forward traffic to particular carrier virtual routers based you criteria you design in routing.  This is essientally the same as if you had a separate device for each ISP but they are virtually contained in the SSG box.  There is a limit to the number you can create by platform.

Finally, you may want to control the traffic using policy based routing or source based routing.  This feature allows you to use criteria within a single virutal router to control routing direction.

Thank you very much for a detailed reply and help. Yes, I agree you regarding all options. I have been working on firewalls of different brands like Juniper, Fortinet, SonicWall etc, which much more easier to use than Juniper ISG, but I like this firewall for its stability.

In this firewall, the limitation I am experiencing is that I can not choose individual (sub-) interfaces in Untrust zone while defining a policy. And I am bound to control the traffic through PBR, SBR etc. OR working on routing side for ECMP or Priority regardless of individual user requirements. This puts additional load of configuration if user reqiurements are high with different preferences.

In ISG Policy, I was expecting to see either different egress interfaces in selection combo box or selecting different DIPs. But I have seen that selecting a DIP from interface/pool other than its default is not working. And it does not allow down to the level of interface but zone only.

Do you have any other work around for me so I may select one of multiple DIPs from different interfaces?

Best Regards.

get route:

========

IPv4 Dest-Routes for <trust-vr> (41 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        39          0.0.0.0/0      eth1/3.21   111.68.97.193   S   20      1     Root
*        40          0.0.0.0/0      eth1/3.22      111.68.101.1   S   20      1     Root
*        43          0.0.0.0/0      eth1/3.20        95.16.77.31   S   20      1     Root
*        44          0.0.0.0/0    eth1/3.101     15.86.156.37   S   20      1     Root
and so on...

And you are right, I don't let the ISG decide which ISP to follow.

I may not fully understand you topology and needs yet, so bear with me.

I think the primary attribute to keep in mind here is that ScreenOS fully separates policy from routing.  They are different configuration elements and you cannot affect routing egress decisions in policy configuration.

So with all those default routes installed in the routing table you need to configure policy or source routing to force the traffic in the direction you desire.

Also bear in mind that policy is by zone not by interface.  Interfaces belong to zones and a zone is treated as a group of the same requirements.

Perhaps what you would want is to assign each isp interface to their own zone (untrust-1; untrust-2; etc)  This would then be writting policy by interface since only one interface would belong to each zone.

Wow... I think this will put me at ease... setting up multiple untrust zones. Each egress interface per zone will fulfill the requirements. However, considring Routing and Policying separately during planing will lead to correct decisions in future.

I am really thankful to you for your time and helping me out, finally, leading to a solution. Bye Bye..