Screen OS

Hi EveryOne

 

I need to map my Public IP to one of my device so that telnet access can be given to the device only from the vendor at remote location.

 

Steps that I did :

 

1. At Eth 0/2 , MIP is set as Mapped IP = 219.64.95.39 and Host IP = 172.16.202.4 

2. Virtual Route

    IP=0.0.0.0       Gateway =210.211.246.1    Interface = Eth0/2       S         Metric = 1

3. Policy Created from Untrust to Trust via MIP 

    Source =Any    Destination =MIP(219.64.95.39)    Service =Any     

 

Atfer doing these settings when i tried doing telnet on 219.64.95.39 it was not responding also when i pinged the ip 219.64.95.39

it gives "Request Time Out"

 

What I need to achieve is allowing telnet via my Static IP 219.64.95.39 to 172.16.202.4 which is mapped to the static IP

 

Please Help

 

Thanks 

Raj

 

Do MIP and interface addresses belong to the same subnet?

 

Try to run debug commands

set db size 4096

set ff src-ip x dst-ip 219.64.95.39

set ff src-ip 172.16.202.4 dst-ip X

cl db

debug flow basic

<Try to telnet once>

undebug all

get db str      <-- Post this output 

 

where X is the public IP adddress at the remote location

Hi Cesar

 

I was not able to get the IP - X for the debug because they have not provided there Public IP

 

The requirement is that they can telnet into our Server 172.16.202.4 via our Public IP 219.64.95.39

 

Please Help

 

Thanks

Raj

 

 

Hi Cesar

 

More specifically the requirement is

 

Any IP----------------219.64.95.39--------------------172.16.202.4

 

Thus "Any" From Untrust Zone can access the Public IP 219.64.95.39 to access 172.16.202.4 for telnet 

 

So "X" must be any

 

But CLI is not accepting src-ip any its giving an error

 

Thanks

Raj

The packet is dropped beacuse you don't have a policy between trust and untrust.

 

The problem is that you are initiating the traffic from Trust zone, eth0/0, instead of Untrust zone.

 

 

****** 3678405.0: <Trust/ethernet0/0> packet received [52]******
  ipid = 12074(2f2a), @05352574
  packet passed sanity check.
  ethernet0/0:192.168.5.107/1409->219.64.95.39/23,6<Root>
  no session found
...

 

  policy search from zone 2-> zone 1
....
  packet dropped, denied by policy

Hi Cesar

 

 

I tried running the debug again while accessing it from another PC which is not connected to the Firewall via eth0/0  but connected to the Internet  (Untrust) and tried doing telnet on 219.64.95.39 to get telnet access for 172.16.202.4 mapped to it

 

I was not able to do telnet it says connecting .... and the telnet window closes

 

And No Log is created for the session on the firewall

get db str -------- shows no logs

 

Thanks

 

Raj

Hi Cesar / Yorel

 

I tried to do the same requirement using a different set of Public IP from a different ISP 

 

What I did was 

1. I used 122.169.115.236 (Public IP) instead of 219.64.95.39 and mapped it to 172.16.202.4 and took the logs .

2. Similiarily I mapped 122.169.115.236 to 172.16.202.148 and took the logs again.

3. After performing Step 1 , I removed the MIP Policy Untrust to trust then changed the hosted IP to the IP in Step 2 with Mapped IP

    122.169.115.236

4. The Client Machine was connected to a different ISP not terminated on the firewall so that is behaves as a Client in Untrust Zone

 

What I observed that 172.16.202.148 was trying to connect via telnet but 172.16.202.4 had the same problem

 

Secondly 

Earlier when I tried doing step 4 with 219.64.95.39 I didn't get any log on the firewall but from 122.169.115.236 atleast i am getting some logs from the firewall

 

59.90.211.9 - ISP IP which i am using to connect the MIP and this ISP is not terminated no the Firewall

 

 

Logs Output - while doing telnet for 172.16.202.4 via MIP

 

Remote Management Console
l
SSG320M-> set db size 4096
SSG320M-> set ff src-ip 0.0.0.0 dst-ip 122.169.115.236
filter added
SSG320M-> set ff src-ip 172.16.202.4 dst-ip 0.0.0.0
filter added
SSG320M-> cl db
SSG320M-> debug flow basic
SSG320M-> undebug all
SSG320M-> get db str
****** 4030319.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 25037(61cd), @05737d74
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1699->122.169.115.236/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/3>, out <N/A>
  chose interface ethernet0/3 as incoming nat if.
  flow_first_routing: in <ethernet0/3>, out <N/A>
  search route to (ethernet0/3, 59.90.211.9->172.16.202.4) in vr trust-vr for vs
d-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.4->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.4) from ethernet0/3 (ethernet0/3 in 0) to ethernet
0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 122.
169.115.236, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 38/17/0x9
  Permitted by policy 38
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 10, name TELNET, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/3>, out <ethernet0/0>
  existing vector list 113-39863d4.
  Session (id:63833) created for first pak 113
  flow_first_install_session======>
  route to 192.168.1.1
  arp entry found for 192.168.1.1
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 172.16.202.4->59.90.211.9) in vr trust-vr for vs
d-0/flag-3000/ifp-ethernet0/3
  [ Dest] 11.route 59.90.211.9->122.169.115.1, to ethernet0/3
  route to 122.169.115.1
  arp entry found for 122.169.115.1
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 63833
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.4.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4030321.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 25038(61ce), @05a57d74
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1699->122.169.115.236/23,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 63833
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.4.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4030327.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 25039(61cf), @05a68d74
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1699->122.169.115.236/23,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 63833
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.4.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4030328.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 47265(b8a1), @2d425914
  packet passed sanity check.
  ethernet0/3:122.169.32.227/63724->122.169.115.236/135,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/3>, out <N/A>
  chose interface ethernet0/3 as incoming nat if.
  flow_first_routing: in <ethernet0/3>, out <N/A>
  search route to (ethernet0/3, 122.169.32.227->172.16.202.4) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.4->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.4) from ethernet0/3 (ethernet0/3 in 0) to ethernet
0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 122.
169.115.236, port 135, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 38/17/0x9
  Permitted by policy 38
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 68, name MSRPC_EPM, nas_id 0, timeout 1800sec
ALG vector is attached
  service lookup identified service 68.
  flow_first_final_check: in <ethernet0/3>, out <ethernet0/0>
  existing vector list 193-39862b4.
  Session (id:64007) created for first pak 193
  flow_first_install_session======>
  route to 192.168.1.1
  arp entry found for 192.168.1.1
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 172.16.202.4->122.169.32.227) in vr trust-vr for
 vsd-0/flag-3000/ifp-ethernet0/3
  [ Dest] 11.route 122.169.32.227->122.169.115.1, to ethernet0/3
  route to 122.169.115.1
  arp entry found for 122.169.115.1
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 64007
  tcp seq check.
  get wsf 2 0
  post addr xlation: 122.169.32.227->172.16.202.4.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4030328.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 47303(b8c7), @052b1d74
  packet passed sanity check.
  ethernet0/3:122.169.32.227/63762->122.169.115.236/445,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/3>, out <N/A>
  chose interface ethernet0/3 as incoming nat if.
  flow_first_routing: in <ethernet0/3>, out <N/A>
  search route to (ethernet0/3, 122.169.32.227->172.16.202.4) in vr trust-vr for
 vsd-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.4->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.4) from ethernet0/3 (ethernet0/3 in 0) to ethernet
0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 122.
169.115.236, port 445, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 38/17/0x9
  Permitted by policy 38
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 21, name SMB, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/3>, out <ethernet0/0>
  existing vector list 113-39863d4.
  Session (id:63826) created for first pak 113
  flow_first_install_session======>
  route to 192.168.1.1
  arp entry found for 192.168.1.1
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 172.16.202.4->122.169.32.227) in vr trust-vr for
 vsd-0/flag-3000/ifp-ethernet0/3
  [ Dest] 11.route 122.169.32.227->122.169.115.1, to ethernet0/3
  route to 122.169.115.1
  arp entry found for 122.169.115.1
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 63826
  tcp seq check.
  get wsf 2 0
  post addr xlation: 122.169.32.227->172.16.202.4.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0

 

 

Logs - while trying to do telnet on 172.16.202.148 via MIP

 

Remote Management Console

SSG320M-> set db size 4096
SSG320M-> set ff src-ip 0.0.0.0 dst-ip 122.169.115.236
filter added
SSG320M-> set ff src-ip 172.16.202.148 dst-ip 0.0.0.0
filter added
SSG320M-> cl db
SSG320M-> debug flow basic
SSG320M-> undebug all
SSG320M-> get db str
****** 4029795.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 22105(5659), @05746d74
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1666->122.169.115.236/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/3>, out <N/A>
  chose interface ethernet0/3 as incoming nat if.
  flow_first_routing: in <ethernet0/3>, out <N/A>
  search route to (ethernet0/3, 59.90.211.9->172.16.202.148) in vr trust-vr for
vsd-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.148->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.148) from ethernet0/3 (ethernet0/3 in 0) to ethern
et0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 122.
169.115.236, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 39/17/0x9
  Permitted by policy 39
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 10, name TELNET, nas_id 0, timeout 1800sec
ALG vector is not attached
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/3>, out <ethernet0/0>
  existing vector list 113-39863d4.
  Session (id:63954) created for first pak 113
  flow_first_install_session======>
  route to 192.168.1.1
  arp entry found for 192.168.1.1
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 172.16.202.148->59.90.211.9) in vr trust-vr for
vsd-0/flag-3000/ifp-ethernet0/3
  [ Dest] 11.route 59.90.211.9->122.169.115.1, to ethernet0/3
  route to 122.169.115.1
  arp entry found for 122.169.115.1
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 63954
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.148.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4029795.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 23413(5b75), @0593bd74
  packet passed sanity check.
  ethernet0/0:172.16.202.148/23->59.90.211.9/1666,6, 5014(rst)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 63954
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 122.169.115.236->59.90.211.9.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 00901a4215e5 through ethernet0/3
****** 4029796.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 22106(565a), @059cfd74
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1666->122.169.115.236/23,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 63954
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.148.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4029796.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 23414(5b76), @05941d74
  packet passed sanity check.
  ethernet0/0:172.16.202.148/23->59.90.211.9/1666,6, 5014(rst)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 63954
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 122.169.115.236->59.90.211.9.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 00901a4215e5 through ethernet0/3
****** 4029796.0: <Untrust/ethernet0/3> packet received [52]******
  ipid = 22107(565b), @05937574
  packet passed sanity check.
  ethernet0/3:59.90.211.9/1666->122.169.115.236/23,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 63954
  tcp seq check.
  get wsf 0 0
  post addr xlation: 59.90.211.9->172.16.202.148.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000f23606940 through ethernet0/0
****** 4029796.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 23416(5b78), @05944574
  packet passed sanity check.
  ethernet0/0:172.16.202.148/23->59.90.211.9/1666,6, 5014(rst)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 63954
  tcp seq check.
  flow_tcp_fin_vector()
  post addr xlation: 122.169.115.236->59.90.211.9.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 00901a4215e5 through ethernet0/3

 

HI All

 

A new thing that i noticed today 

 

With the Following Setup :

 

Public IP                            Host IP                            Interface IP                            Interface

 

Case 1 :

219.64.95.39                    192.168.1.10                   210.211.246.123                    Eth0/2

 

Case 2:

219.64.95.39                     172.16.202.4                  210.211.246.123                    Eth0/2

 

 Now if I try to ping 219.64.95.39 from a PC ( Untrust Zone ) the ping is successful in Case 1 but with same seneraio in Case 2, Ping is not successful and get request timed out

 

Any Ideas

 

Thanks 

Raj

 

 

Hi All

 

This problem has been resolved by enabling H.323 ALG function on the firewall

 

Thanks

Raj

Hii Cesar

 

What i did was to set filter from source "any" to 219.64.95.39

 

I did any = 0.0.0.0 for X

 

 

Debug Output :

 

SSG320M-> clear db
SSG320M-> set db size 4096
SSG320M-> set ff src-ip 0.0.0.0 dst-ip 219.64.95.39
filter added
SSG320M-> set ff src-ip 172.16.202.4 dst-ip 0.0.0.0
filter added
SSG320M-> cl db
SSG320M-> debug flow basic
SSG320M-> undebug all
SSG320M-> get db str
****** 3678405.0: <Trust/ethernet0/0> packet received [52]******
  ipid = 12074(2f2a), @05352574
  packet passed sanity check.
  ethernet0/0:192.168.5.107/1409->219.64.95.39/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.5.107->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.5.107->219.64.95.39) in vr trust-vr for
vsd-0/flag-0/ifp-null
  2 ecmp routes are found
  [ Dest] 19.route 219.64.95.39->210.211.246.1, to ethernet0/2
  routed (x_dst_ip 219.64.95.39) from ethernet0/0 (ethernet0/0 in 0) to ethernet
0/2
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.
64.95.39, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
  packet dropped, denied by policy
****** 3678408.0: <Trust/ethernet0/0> packet received [52]******
  ipid = 12076(2f2c), @052ced74
  packet passed sanity check.
  ethernet0/0:192.168.5.107/1409->219.64.95.39/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.5.107->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.5.107->219.64.95.39) in vr trust-vr for
vsd-0/flag-0/ifp-null
  2 ecmp routes are found
  [ Dest] 11.route 219.64.95.39->122.169.115.1, to ethernet0/3
  routed (x_dst_ip 219.64.95.39) from ethernet0/0 (ethernet0/0 in 0) to ethernet
0/3
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.
64.95.39, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
  packet dropped, denied by policy
****** 3678414.0: <Trust/ethernet0/0> packet received [52]******
  ipid = 12165(2f85), @0545bd74
  packet passed sanity check.
  ethernet0/0:192.168.5.107/1409->219.64.95.39/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  [ Dest] 1.route 192.168.5.107->0.0.0.0, to ethernet0/0
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 192.168.5.107->219.64.95.39) in vr trust-vr for
vsd-0/flag-0/ifp-null
  2 ecmp routes are found
  [ Dest] 19.route 219.64.95.39->210.211.246.1, to ethernet0/2
  routed (x_dst_ip 219.64.95.39) from ethernet0/0 (ethernet0/0 in 0) to ethernet
0/2
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.
64.95.39, port 23, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
  packet dropped, denied by policy
SSG320M->
SSG320M->
SSG320M->

 

Please Help me as I need to give them access soon

 

Thanks

Raj

 

 

If the MIP IP is in different range of the trust interface IP you should to configure a route in your gateway for that IP points to the Untrust interface. Also, you must define a static route in the SSG without default gateway, only associating the MIP to the interface where can be reached the real server

Hi Yorel

 

Please Describe it in details for me to understand 

 

Thanks 

Raj

What's the IP and mask of the Unstrust interface?, is it in different subnet that the MIP IP?

Hii

 

I am attaching the screenshot of MIP (219.64.95.39)

 

 

Hope this clears the query

 

Thanks 

 

Raj

Ok, MIP IP is then in different subnet that Untrust interface. You have to introduce a route in your gateway in order to it knows where to route a packet to that IP. That route must point to IP address of Untrust interface.

 

One thing more, in your first post you'll write Virtual Route in your default route, this route you must configure it in Network->Route->Destination.

Hi

 

I have specified the virtual route in destination part it self

 

 

I have another Public IP which we use have mapped to our Video Conference Facility 

 

I have mapped 122.169.115.236 at eth0/3 with my VC Device at 192.168.1.10 in the same fashion as i did for 219.64.95.39 and my

collegues from outside can connect easily via 122.169.115.236 MIP

 

Did you get something from the log that i posted

 

Thanks 

Raj

In that case configure the next debug:

 

#set ff dst-ip 219.64.95.39

#debug flow basic

 

 

From outside launch requests through port 23 to the MIP. After issue the get db st command and paste the output, in the prior debug appears information not relevant.

Remote Management Console


SSG320M->
SSG320M->
SSG320M->
SSG320M-> cl db
SSG320M-> unset ff
filter 0 removed
SSG320M->
SSG320M->
SSG320M-> cl db
SSG320M-> set db size 4096
SSG320M-> set ff dst-ip 219.64.95.39
filter added
SSG320M-> cl db
SSG320M-> debug flow basic
SSG320M-> undebug all
SSG320M-> get db str
****** 3713011.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 33835(842b), @2d42e114
  packet passed sanity check.
  ethernet0/2:219.64.93.187/42666->219.64.95.39/445,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 219.64.93.187->172.16.202.4) in vr trust-vr for
vsd-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.4->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet
0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.
64.95.39, port 445, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
  packet dropped, denied by policy
****** 3713014.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 33893(8465), @05304d74
  packet passed sanity check.
  ethernet0/2:219.64.93.187/42666->219.64.95.39/445,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 219.64.93.187->172.16.202.4) in vr trust-vr for
vsd-0/flag-0/ifp-null
  [ Dest] 10.route 172.16.202.4->192.168.1.1, to ethernet0/0
  routed (x_dst_ip 172.16.202.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet
0/0
  policy search from zone 1-> zone 2
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.
64.95.39, port 445, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
  packet dropped, denied by policy

That traffic is being dropped by a policy due to the packet is attacking to the 445 port instead of port 23

 

219.64.93.187/42666->219.64.95.39/445

 

As that port is not allowed in the SSG a policy is being dropping the packets, in this case the policy 320000:

 

policy id (320000)
  packet dropped, denied by policy

 

For doing real test attack to telnet port, clear the debug (undebug all), clear the buffer (clear db) y launch the get db st again.