ScreenOS Firewalls (NOT SRX)
Reply
Contributor
melodien
Posts: 14
Registered: ‎03-20-2011
0

MIP or proxy ARP configuration, SSG5

Gentlebeings

 

We (my colleague and I) have an SSG5, behind which are a number of hosts with private IP addresses.  We need to be to access these machines remotely, so address translation is obviously required, and I had expected it to be simple to set up.  That was last week.  We have both tried to get this going, first using MIP which just did not work.  Now we have a proxy ARP set up, which works for one address only.  This is because that address was accessed from within the data centre where the equipment is housed, and the router has cached the ARP entry.  We don't own that router, so this is an assumption.

 

My colleague has upgraded the firmware to 6.3, and still it does not work.  We have read numerous KB articles, which have only served to convince us that other people have problems with this as well.  Can anyone tell me that they have this working?  My boss is beginning to lose patience, and there is talk of replacing the firewall completely.  Since I recommended the Juniper firewall in the first place, I would rather get this working.

 

<TL;DR> How do I get basic one to one address translation working on a Juniper SSG5?

 

Configuration, with roughly obfuscated IP addresses, follows.

 

 

 

Contributor
dwayne
Posts: 33
Registered: ‎06-22-2009
0

Re: MIP or proxy ARP configuration, SSG5

hi,

   mip is pretty straight forward. if your juniper is kinda new to your network, you need to introduce it to your router.

 

  what did with this scenario is use the mip ip addresses available from my untrust interface then ping the directly connected router from the untrust port.

 

  with this, the router will register the mac addresses of the interfaces along with it.

 

  if you have 5 public ips, then assign those 5 ip addresses to the untrust port one at a time then ping your router facing your untrust...

 

  once done, you should be working if policy is in place.

 

regards,

dj

Visitor
hasty01
Posts: 4
Registered: ‎03-13-2011
0

Re: MIP or proxy ARP configuration, SSG5

OK some basics 1st.

 

From your config your policy is Untrust to Untrust with the public IP's in the Untrust address book.

 

The processing order is:

- Route

- Zone

- Policy

- NAT

 

What you will find is it will fail to route. 'debug flow basic' will confirm.

 

Try this instead:

 

Dst-NAT

 

Set routes to your public IP's to the trust interface

Set address book entries for the Public IP's in Trust Zone

Then write policies from Untrust to Trust with the destination as the Public IP (from Trust Zone) then use the Dst-NAT option to specify your internal IP.

 

OR MIP

Set the MIP's on your external interface

Write policy from Untrust to Trust with the destination as the MIP

 

See how you go.

Visitor
hasty01
Posts: 4
Registered: ‎03-13-2011
0

Re: MIP or proxy ARP configuration, SSG5

Forgot to add that as your addresses are in the same subnet as your untrust interface you will need to proxy-arp no matter what.

Contributor
melodien
Posts: 14
Registered: ‎03-20-2011
0

Re: MIP or proxy ARP configuration, SSG5

Thanks, we'll try this approach

 

regards

 

Melodie

Contributor
melodien
Posts: 14
Registered: ‎03-20-2011
0

Re: MIP or proxy ARP configuration, SSG5

Still not working, but I think I know why.  I've found something in KB11910 that says "The Server Public IP address block/range cannot include the firewall's Untrust interface IP address.  Choose a block/range that does not include the firewall's Untrust interface IP address."

 

I've never met a firewall with this requirement before, and it seems extremely strange.  It means that I'm going to have to get another address range, and ask my hosting provider to add a static route to the new range via the untrust interface of my firewall.  They will probably do this, but they will charge me.

 

An additional complication is that if I try to add two MIPS, I get an error on the second one that says "One IP is range [whatever - whatever] is in use.  Mip can't be added."  Similarly, if I try to configure a Mip and then add a proxy ARP entry, I get an error that says that the proxy ARP entry can't be added because an address in the range is in use.

 

I'm just about at the point where I'm going to declare this firewall not fit for purpose, and recommend that it and it's partner device (an SSG20 on another site) be ripped out and replaced with something else.  I shall certainly think twice before recommending these devices to customers in the future.  I require a simple VPN between two firewalls and four NATs: this should not require days of troubleshooting to achieve.

Distinguished Expert
spuluka
Posts: 2,822
Registered: ‎03-30-2009
0

Re: MIP or proxy ARP configuration, SSG5

 


melodien wrote:

Still not working, but I think I know why.  I've found something in KB11910 that says "The Server Public IP address block/range cannot include the firewall's Untrust interface IP address.  Choose a block/range that does not include the firewall's Untrust interface IP address."


 

What KB11910 is discussing is mapping a block of addresses 1-to-1 to a block of server internal addresses.

This is ssying that the address you use for the public interface itself cannot be mapped 1-to-1 to an address because some ports are in use by the interface.  You can only do port mapping from this interface ip address, you cannot MIP or NAT-dst the firewall public ip.

 

You certainly can use other addresses in that subnet for server NAT-dst.  Have you seen this section of the Concepts & examples guide or kb12631?

 

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Volume 8 Address Translation
Destination Network Address Translation
NAT-Dst-One-to-One Mapping
Page 35

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12631

Steve Puluka BSEET
Juniper Ambassador
Expert Network Security Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
melodien
Posts: 14
Registered: ‎03-20-2011
0

Re: MIP or proxy ARP configuration, SSG5

Yes, I've looked at these, and they haven't helped.  I have firmware 6.3, which has a slightly different syntax, but I still cannot see what is wrong.  Scenario: Public interface is ethernet0/0 and one Linux machine (10.77.40.11) connected to ethernet0/3 on the SSG. I need to translate the private IP address to a public address in the same subnet as the public interface. The machine and the firewall are in a remote location, I can't physically touch them.  I have command line and WebUI access to the firewall.  I can ping the linux box (actually, that is the LOM card) from the firewall.  I've tried proxy ARP and NAT DST, but no joy.  I'm beginning to wonder if a firmware downgrade might be the answer.

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: MIP or proxy ARP configuration, SSG5

I didn't dig too deeply into this, but one thing that jumped out at me was that you have an incoming dst-nat policy from untrust->untrust.

 

Your policy should be from untrust->trust for the dst-nat (or, better yet, put your servers in a DMZ zone and do your dst-nat from untrust->DMZ).

 

Try that, if it doesn't fix your issue I will take a closer look at your config.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
melodien
Posts: 14
Registered: ‎03-20-2011
0

Re: MIP or proxy ARP configuration, SSG5

I thought that looked strange myself, but that is what KB12631 said was required: "Note that it is configured with an intra-zone policy (untrust to untrust); a policy from untrust to trust is not needed."

 

I'll try it your way next week, when I have access again.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.