ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Blackice
Posts: 19
Registered: ‎07-27-2011
0

Re: ISG internet firewall deployment

Hi,

 

I have been confirmed by the ISP that the real range of the loopback is already routed. I have tried to make traceroute from the loopback interface and this gives me an error . How I can verify where the traffic actually stopped or what is the main cause ?.

 

Thanks

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: ISG internet firewall deployment

Hi,

 

You can start trace from Trust interface. A Trust-to-Untrust policy with the active src-NAT to the egress interface IP will correctly perform src-NAT to the loopback interface IP.

Is ISP router connected to a port that belongs to the same VLAN as ethernet1/3.1? Can you ping ISP router from Untrust interface?

Kind regards,
Edouard
Contributor
Blackice
Posts: 19
Registered: ‎07-27-2011
0

Re: ISG internet firewall deployment

Thanks Eduard for your patience

 

I have made what you mentioned about creating a nat policy from trust to untrust with interface  nat,, the packts goes no where and the traceroute doesn't shows any hop ,,!! I have made sure that there is a default route configured on the trust VR to point the traffic to the internet router 

 

 

The ping test to the ISP routeres from the untrust interface done without any problem

 

By the way there is a router between the ISG and the isp routers and it doing a basic traffic routing operation.

 

Any ideas

Thanks

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: ISG internet firewall deployment

Hi,

 

In this case the indermediate router is the first node I would start to analyze. Does it route your public network towards the firewall? Are there ACL hits? If yes, does it get responses? etc.

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.