Screen OS

Hi All, first post here.

I have a src-nat issue with my firewall, the firewall is performing a src-nat on a MIP, which I want to stop. The external interface is in NAT mode, while the DMZ interface is in route mode.

This is odd because this MIP performs a src-nat while another MIP going to another interface with the same settings is not performing a src-nat.

I would also like to mention that the code we are running is old (5.4.0r2.0), let me know if more information is needed.

A MIP is a one-to-one translation.  Source translation happens on the egress interface, which would explain why you are seeing the different behaviors.  The one that is translating is most likely the one where the MIP resides, but the other one is a different interface where the MIP is not configured.

It sounds like you might be needing to use a combination of DIP (many to many) and VIP (one to many).  You would use the VIP for destination translation and DIP for source translation. 

If you can provide additional information on your requirements, I might be able to suggest some configurations.

Thanks rseibert, I have tried a VIP but had the same result.

The reason why we are doing this is that the device at the end of the MIP requires to see untranslated source IPs. Whats odd is that another MIP going to a different zone does not do a source nat translate.

As Bob has mentioned, a MIP is one-to-one and it will perform NAT in both directions ---> Src-NAT of outgoing traffic and Dst-NAT of incoming traffic (assuming you have the right policies in place)

For example:

10.1.1.1 -- e0/0 --- FW --- e0/1 (1.1.1.1/24) --- internet

MIP configured on e0/1 --> MIP 1.1.1.2: Host 10.1.1.1

Now, the firewall will ALWAYS source NAT 10.1.1.1 to 1.1.1.2 as long as the traffic is exiting via e0/1. This is as per design.

If you want to workaround this, you need to re-design the setup using VIP for incoming NAT and DIP for outgoing NAT.

Thanks Gokul, but ths is actually for incoming traffic, and another MIP to another Zone does not do a Source Nat.

You say that the MIP on another zone isn't doing the NAT.  Can you explain further?  Which interface is the MIP configured on and how is the traffic flowing?

Let me try this example

MIP 1

Internet/Untrust --> e0/0 --> Firewall --> e0/1 -->Trust | NO source NAT

Internet/Untrust interface is in NAT mode

Trust interface is in Routed mode

MIP 2

Internet/Untrust --> e0/0 --> Firewall --> e0/2 --> DMZ | YES Source NAT

The Internet/Untrust interface is in NAT mode

DMZ Interface is in Routed mode

That is odd.  They should actually both be translated.  Can you provide a debug flow basic and config for both?

I cant provide a debug at the moment, but should I be using a VIP ? I did that but that did not make any difference.

Can you share the related config for clarity?

The MIP configuration, DMZ, Untrust and Untrust interface configuration etc., along with the policies and direction of flow will help. You can replace the actual IP addresses with some dummy IPs before sharing it here.

Sorry guys im late, I was on holidays, let me know if you need any more info, or even what commands to run to get that info.

MIP configuration

set interface "ethernet0/1" mip 1.1.1.1 host 192.168.0.1 netmask 255.255.255.255 vr "untrust-vr"

DMZ

set zone id 101 "DMZ"

set zone "DMZ" vrouter "untrust-vr"

set interface "ethernet0/0" zone "DMZ"

Policy

set policy id 248 from "Untrust" to "DMZ"  "Any" "MIP(1.1.1.1)" "ICMP-ANY" permit

BUMP, no takers ?

To make sure that I understand, you have two MIPs, one goes to the Trust zone, the other to the DMZ zone.  The problem that you are having is that INBOUND traffic from Untrust to the DMZ MIP, unlike traffic destined for the Trust MIP is being source NATed?  That seems quite odd.  What is the source being NATed to, where does the inbound traffic look like it's coming from?

Thats correct, inbound traffic is coming from external servers, and they are being Natted to the DMZ interface.

Very odd, im thinking it might be a bug.

That does seem like a bug, could you post all of the policies from Untrust to DMZ?  Have you run a 'get session' during one of these connections to show the NAT taking place?

Yes I have ran a get session, and the policy looks good, output below with the IPs and Ports Changed.

id 121210/s**,vsys 0,flag 08000000/0000/0001,policy 248,time 13107, dip 2 module 0
 if 8(nspflag 801801):119.25.4.58/63672->1.1.1.1/200,6,00090f85274e,sess token 30,vlan 0,tun 0,vsd 0,route 15
 if 6(nspflag 801800):192.168.0.254/24670<-192.168.0.1/200,6,001e670eccd2,sess token 38,vlan 0,tun 0,vsd 0,route 1

Can you please post the complete 'get pol id 248' ?

set policy id 248 from "Untrust" to "DMZ"  "Any" "MIP(1.1.1.1)" "ICMP-ANY" permit ==> Anything other than this line?

Also, share the 'get interface xyz' for the trust, Untrust and DMZ interfaces.

Just a quick update, I have upgraded the Firewall to 6.3.0r17.0 which is the latest version (previously it was running 5.4).

I have also changed the MIP to a VIP, and it is still natting the source address.

Below is the information requested.

Juniper-> get pol id 248
name:"Inbound Emails" (id 248), zone Untrust -> DMZ1,action Permit, status "enabled"
src "Any", dst "VIP(1.1.1.1)", serv "SMTP"
Application: "SMTP"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010400, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log init close, log count 424, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 26737196, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set


Juniper-> get interface ethernet0/0
Interface ethernet0/0:
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode route
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 10.0.0.254/22   mac 0012.1eaa.e500
  *manage ip 10.0.0.254, mac 0012.1eaa.e500
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace enabled
  PIM: not configured  IGMP not configured
  bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server disabled
Number of SW session: 123298, hw sess err cnt 0

uniper-> get interface ethernet2/0
Interface ethernet2/0:
  description ethernet2/0
  number 8, if_info 262080, if_index 0, mode nat
  link up, phy-link up/full-duplex, admin status up
  status change:5, last change:07/31/2014 07:27:46
  vsys Root, zone Untrust, vr untrust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  ip 1.1.1.1/28   mac 0012.1eaa.9e58
  manage ip 0.0.0.0, mac 0012.1eaa.9e58
  route-deny disable
  pmtu-v4 enabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled
Juniper-> get interface ethernet0/2
Interface ethernet0/2:
  description ethernet0/2
  number 6, if_info 14448, if_index 0, mode route
  link up, phy-link up/full-duplex
  vsys Root, zone DMZ1, vr untrust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  ip 192.168.0.254/24   mac 0012.1eaa.e506
  manage ip 0.0.0.0, mac 0012.1eaa.e506
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server disabled
Number of SW session: 123331, hw sess err cnt 0
Juniper->

Could you get some debug information related to one of these sessions being created?  Like the instructions found here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12208

I must ask....

I noticed eth2/0 (untrust) interface is set to 'nat' mode.

Does it make a difference if it's set to 'route' mode?

        "set int eth2/0 route"

It shouldn't but... u never know...

Regards,

Sam

Sam,

From my understanding that interface is natting traffic leaving my network, which is what I want it to do, but the DMZ interface is set to route, therefore it should not nat anything coming in.

if we want to NAT all traffic from Trust -> Untrust, we can either:

 a) use 'nat src' in policy

   OR

  b) set trust interface to 'nat' mode

Setting Untrust interface to 'nat' mode does not affect NAT from Trust -> Untrust.  I'd be surprised if nat mode on untrust affects anything (didn't in older screenOS).... perhaps something changed???

I typically set all interfaces to 'route' mode, and enforce NAT via policy.

In my opinion, i think it's still worth a shot.

Regards,

Sam

Gents, that worked like a charm, thanks so much for that ! Im a very happy man now.