ScreenOS Firewalls (NOT SRX)
Reply
Contributor
hadywahl
Posts: 45
Registered: ‎05-23-2008
0

MIP Issue

Hi Everyone,

I have an ISG1000 (6.0.0.r4).I have an IP address 24.24.4.26/29 on the Untrust interface.Default gateway is 24.24.4.25.

On the trust interface the IP is 172.24.10.1/16.I have a system whose IP is 172.24.10.51,and i want to map it to 24.24.4.30,so that when this system accesses the internet(Traffic from System/Trust to any/Untrust) it will use that IP address.Also i want any service request to 24.24.4.30 from any/Untrust be forwarded to the 172.24.10.51.On the Untrust interface i created new MIP(24.24.4.30) and Host =172.24.10.51 mask=32.In policies i permit traffic from System/Trust to any/Untrust.Also i added a second policy to permit any/Untrust towards MIP(24.24.4.30)System/Trust any Service.

When i try to do a traceroute from another internet connection,the trace route stops at the 24.24.4.26 which is the IP address of the Untrust interface of the firewall device.I tried to ping also no success! While from my LAN PC (172.24.10.38) I can ping that system (172.24.10.51) What could be wrong?

 

But i wouldnt know if it conflicts with another Untrust Interface i configured on the firewall which is on Eth1/1 interface with IP address 24.24.4.10/29

 

ethernet1/1 ip 24.24.4.10/29 Untrust zone
ethernet1/2 ip 24.24.4.26/29 Untrust zone
ethernet2/2 ip 172.24.10.1/16 Trust zone

 

Below is the debugged output

nsisg1000-> get db str

**st: <Untrust|ethernet1/2|Root|0> 3b9c118: 16f8:76.248.5.90/400->24.24.4.30/c778,1,92

****** 13355.0: <Untrust/ethernet1/2> packet received [92]******

  ipid = 5880(16f8), @03b9c118

  packet passed sanity check.

  ethernet1/2:76.248.5.90/51064->24.24.4.30/1024,1(8/0)<Root>

  no session found

  flow_first_sanity_check: in <ethernet1/2>, out <N/A>

  [ Dest] 10.route 76.248.5.90->24.24.4.25, to ethernet1/2

  chose interface ethernet1/2 as incoming nat if.

  flow_first_routing: in <ethernet1/2>, out <N/A>

  search route to (ethernet1/2, 76.248.5.90->172.24.10.51) in vr untrust-vr for vsd-0/flag-0/ifp-null

  [ Dest] 9.route 172.24.10.51->24.24.4.9, to ethernet1/1

  routed (x_dst_ip 172.24.10.51) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/1

  policy search from zone 1-> zone 1

 policy_flow_search  policy search nat_crt from zone 1-> zone 10

  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 24.24.4.30, port 11399, proto 1)

  No SW RPC rule match, search HW rule

  Permitted by policy 160

  No src xlate   choose interface ethernet1/1 as outgoing phy if

  no loop on ifp ethernet1/1.

  session application type 0, name None, nas_id 0, timeout 60sec

  service lookup identified service 0.

  flow_first_final_check: in <ethernet1/2>, out <ethernet1/1>

  existing vector list 1-1e092784.

  Session (id:258157) created for first pak 1

  flow_first_install_session======>

  route to 24.24.4.9

  arp entry found for 24.24.4.9

  ifp2 ethernet1/1, out_ifp ethernet1/1, flag 00800800, tunnel ffffffff, rc 1

  outgoing wing prepared, ready

  handle cleartext reverse route

  search route to (ethernet1/1, 172.24.10.51->76.248.5.90) in vr untrust-vr for vsd-0/flag-3000/ifp-ethernet1/2

  [ Dest] 10.route 76.248.5.90->24.24.4.25, to ethernet1/2

  route to 24.24.4.25

  arp entry found for 24.24.4.25

  ifp2 ethernet1/2, out_ifp ethernet1/2, flag 00800801, tunnel ffffffff, rc 1

  flow got session.

  flow session id 258157

  post addr xlation: 76.248.5.90->172.24.10.51.

 flow_send_vector_, vid = 0, is_layer2_if=0

 

 

Thanks in advance

 

 

Distinguished Expert
spuluka
Posts: 2,751
Registered: ‎03-30-2009
0

Re: MIP Issue

I think your policy may not have the port translation configured.

 

The KB111909 gives a listing of all the scenarios for configuring NAT for reference.

 

In your case we need KB11901 for outbound mapping to a public IP.  This walks you through all the choices and configuration options with references to the detailed instructions from the Concepts and Examples guide.  This should help you find the missing step.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
hadywahl
Posts: 45
Registered: ‎05-23-2008
0

Re: MIP Issue

Hi,

Thanks for your reply.I need to allow both inbound and outbound connection that is the reason i am using MIP.

Why do i need to configure port translation after using MIP?Also looking at my debug output,i noticed it is interferring with the other Untrust interface i have configured on the Firewall.

I was not expecting to see this line:

policy search from zone 1-> zone 1

I think it was meant to be:

policy search from zone 1-> zone 10.

Guess there is a conflict somewhere.It doesnt seem to be returninig via the path it came through.Could you help me peruse it.

I dont think it should have anything to do with this:

[ Dest] 9.route 172.24.10.51->24.24.4.9, to ethernet1/1.

Thanks in advance

Super Contributor
ELKIM
Posts: 227
Registered: ‎12-01-2008
0

Re: MIP Issue

Hi

 

Could y access to 24.24.4.25 ? if can try to access to that box then ping to 24.24.4.30 and check arp on that ?

you also can try to change interface ethernet1/2 ip address from 24.24.4.26 to 24.24.4.30 inorder to router get mac of interface of firewall.

 

here's i give u a link for troubleshoot MIP issue.

http://kb.juniper.net/KB10923

 

 

thanks


EL

Contributor
hadywahl
Posts: 45
Registered: ‎05-23-2008
0

Re: MIP Issue

Thanks for the reply

 

I can only ping 24.24.4.25 which is the default gateway(router) for the firewall.I do not have access to it.

I  tried swapping the interface ethernet1/2 ip address from 24.24.4.26 to 24.24.4.30.When i tried pinging the .30 while i placed it on the eth1/2,there was areply.After this i changed everything back to normal,i could not still access or ping the MIP address.Can you please help look at this lines

Why

[ Dest] 9.route 172.24.10.51->24.24.4.9, to ethernet1/1  *this 24.24.4.9 is the eth1/1 intface on the firewall,why pointing to it

 

 routed (x_dst_ip 172.24.10.51) from ethernet1/2 (ethernet1/2 in 0) to ethernet1/1    * why is is it going to eth1/2

 

 policy search from zone 1-> zone 1       *why policy search from zone1 to zone1 instead of zone10

 

 policy_flow_search  policy search nat_crt from zone 1-> zone 10

 

Thanks in advance.

Super Contributor
ELKIM
Posts: 227
Registered: ‎12-01-2008
0

Re: MIP Issue

hi

 

Could you paste the mip configuration in this thread or get tech ? btw does your router point 24.24.4.25/29 network to your firewall ?

 

 

thanks


EL

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: MIP Issue

If you can post a config, I'll toss it on my lab box

________________________________________________


If my post helped you, please feel free to give me kudos.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: MIP Issue

Hi !

 

Which VR is your Trust zone attached to? Is this VR referenced in the MIP definition:

 

set interface "ethernet1/2" mip 24.24.4.30 host 172.24.10.51 netmask 255.255.255.255 vr "???????"

 

I see that ISG cannot find a route to the destination system and uses default gateway for forwarding the request. That's why you see "policy search from zone 1-> zone 1"

 

If policy based dst-NAT is used for Untrust-to-Trust  connections, the routes should be configured on the untrust-vr that point to the VR where the Trust zone is attached. These routes can be omitted if MIPs are used, but the MIP definition must contain the correct "destination" VR. This is a type of  "implicit" routing, specific for MIPs.

Kind regards,

Edouard

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.