Hello,
I am trying NATing from trust to untrust but DIP is not working as desired. Help is requested, please. The details are given below:
ISG 1000 version 3010(0)
ScreenOS 6.3.0r16.0 (Firewall+VPN)
get interface eth1/1:
================
Interface ethernet1/1(VSI):
description ethernet1/1
number 7, if_info 229320, if_index 0, mode route
link up, phy-link up/full-duplex, admin status up
status change:1, last change:02/06/2014 23:30:01
vsys Root, zone Trust, vr trust-vr, vsd 0
dhcp client disabled
ip 10.0.11.1/28 mac 0010.dbff.2070
manage ip 10.0.11.11, mac 001b.c06e.1d87
route-deny disable
pmtu-v4 disabled
ping enabled, telnet enabled, SSH enabled, SNMP disabled
web enabled, ident-reset disabled, SSL enabled
DNS Proxy enabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled OSPFv3 disabled BGP disabled RIP disabled RIPng disabled
NSGP disabled mtrace disabled
PIM: not configured IGMP not configured
MLD not configured
NHRP disabled
bandwidth: physical 1000Mbps, configured 270Mbps
DHCP-Relay disabled at interface level
DHCP-server disabled
get dip:
======
Dip Id Dip Low Dip High Interface Attribute Usage
12 111.68.101.82 111.68.101.82 ethernet1/3.22 port-xlate n/a
Port-xlated dip stickness on
DIP pool utilization alarm: disabled, raise threshold 0%, clear threshold 0%
Output of Debug Flow Basic:
=======================
**st: <Trust|ethernet1/1|Root|0> 499c118: 0:10.200.13.9/5e67->8.8.8.8/1,1,84
****** 40832.0: <Trust/ethernet1/1> packet received [84]******
ipid = 0(0000), @0499c118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:10.200.13.9/1->8.8.8.8/24167,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 10.200.13.9->8.8.8.8) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 8.8.8.8
add route 39 for 8.8.8.8 to route cache table
[ Dest] 39.route 8.8.8.8->111.68.97.193, to ethernet1/3.21
routed (x_dst_ip 8.8.8.8) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/3.21
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.8.8, port 1650, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
dip alloc failed. dip_id = 0
packet dropped, dip alloc failed
===================
Regards.