ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

MIP or proxy ARP configuration, SSG5

Gentlebeings

 

We (my colleague and I) have an SSG5, behind which are a number of hosts with private IP addresses.  We need to be to access these machines remotely, so address translation is obviously required, and I had expected it to be simple to set up.  That was last week.  We have both tried to get this going, first using MIP which just did not work.  Now we have a proxy ARP set up, which works for one address only.  This is because that address was accessed from within the data centre where the equipment is housed, and the router has cached the ARP entry.  We don't own that router, so this is an assumption.

 

My colleague has upgraded the firmware to 6.3, and still it does not work.  We have read numerous KB articles, which have only served to convince us that other people have problems with this as well.  Can anyone tell me that they have this working?  My boss is beginning to lose patience, and there is talk of replacing the firewall completely.  Since I recommended the Juniper firewall in the first place, I would rather get this working.

 

<TL;DR> How do I get basic one to one address translation working on a Juniper SSG5?

 

Configuration, with roughly obfuscated IP addresses, follows.

 

 

 

Contributor
Posts: 76
Registered: ‎06-22-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

hi,

   mip is pretty straight forward. if your juniper is kinda new to your network, you need to introduce it to your router.

 

  what did with this scenario is use the mip ip addresses available from my untrust interface then ping the directly connected router from the untrust port.

 

  with this, the router will register the mac addresses of the interfaces along with it.

 

  if you have 5 public ips, then assign those 5 ip addresses to the untrust port one at a time then ping your router facing your untrust...

 

  once done, you should be working if policy is in place.

 

regards,

dj

Visitor
Posts: 5
Registered: ‎03-13-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

OK some basics 1st.

 

From your config your policy is Untrust to Untrust with the public IP's in the Untrust address book.

 

The processing order is:

- Route

- Zone

- Policy

- NAT

 

What you will find is it will fail to route. 'debug flow basic' will confirm.

 

Try this instead:

 

Dst-NAT

 

Set routes to your public IP's to the trust interface

Set address book entries for the Public IP's in Trust Zone

Then write policies from Untrust to Trust with the destination as the Public IP (from Trust Zone) then use the Dst-NAT option to specify your internal IP.

 

OR MIP

Set the MIP's on your external interface

Write policy from Untrust to Trust with the destination as the MIP

 

See how you go.

Visitor
Posts: 5
Registered: ‎03-13-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

Forgot to add that as your addresses are in the same subnet as your untrust interface you will need to proxy-arp no matter what.

Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

Thanks, we'll try this approach

 

regards

 

Melodie

Highlighted
Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

Still not working, but I think I know why.  I've found something in KB11910 that says "The Server Public IP address block/range cannot include the firewall's Untrust interface IP address.  Choose a block/range that does not include the firewall's Untrust interface IP address."

 

I've never met a firewall with this requirement before, and it seems extremely strange.  It means that I'm going to have to get another address range, and ask my hosting provider to add a static route to the new range via the untrust interface of my firewall.  They will probably do this, but they will charge me.

 

An additional complication is that if I try to add two MIPS, I get an error on the second one that says "One IP is range [whatever - whatever] is in use.  Mip can't be added."  Similarly, if I try to configure a Mip and then add a proxy ARP entry, I get an error that says that the proxy ARP entry can't be added because an address in the range is in use.

 

I'm just about at the point where I'm going to declare this firewall not fit for purpose, and recommend that it and it's partner device (an SSG20 on another site) be ripped out and replaced with something else.  I shall certainly think twice before recommending these devices to customers in the future.  I require a simple VPN between two firewalls and four NATs: this should not require days of troubleshooting to achieve.

Distinguished Expert
Posts: 4,031
Registered: ‎03-30-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

 


melodien wrote:

Still not working, but I think I know why.  I've found something in KB11910 that says "The Server Public IP address block/range cannot include the firewall's Untrust interface IP address.  Choose a block/range that does not include the firewall's Untrust interface IP address."


 

What KB11910 is discussing is mapping a block of addresses 1-to-1 to a block of server internal addresses.

This is ssying that the address you use for the public interface itself cannot be mapped 1-to-1 to an address because some ports are in use by the interface.  You can only do port mapping from this interface ip address, you cannot MIP or NAT-dst the firewall public ip.

 

You certainly can use other addresses in that subnet for server NAT-dst.  Have you seen this section of the Concepts & examples guide or kb12631?

 

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Volume 8 Address Translation
Destination Network Address Translation
NAT-Dst-One-to-One Mapping
Page 35

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12631

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

Yes, I've looked at these, and they haven't helped.  I have firmware 6.3, which has a slightly different syntax, but I still cannot see what is wrong.  Scenario: Public interface is ethernet0/0 and one Linux machine (10.77.40.11) connected to ethernet0/3 on the SSG. I need to translate the private IP address to a public address in the same subnet as the public interface. The machine and the firewall are in a remote location, I can't physically touch them.  I have command line and WebUI access to the firewall.  I can ping the linux box (actually, that is the LOM card) from the firewall.  I've tried proxy ARP and NAT DST, but no joy.  I'm beginning to wonder if a firmware downgrade might be the answer.

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

I didn't dig too deeply into this, but one thing that jumped out at me was that you have an incoming dst-nat policy from untrust->untrust.

 

Your policy should be from untrust->trust for the dst-nat (or, better yet, put your servers in a DMZ zone and do your dst-nat from untrust->DMZ).

 

Try that, if it doesn't fix your issue I will take a closer look at your config.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

I thought that looked strange myself, but that is what KB12631 said was required: "Note that it is configured with an intra-zone policy (untrust to untrust); a policy from untrust to trust is not needed."

 

I'll try it your way next week, when I have access again.

Distinguished Expert
Posts: 4,031
Registered: ‎03-30-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

I see all the elements you need here but there is one extra one you need to remove.

 

set route 201.144.45.24/32 interface ethernet0/3

This is the route you would need if the public address was in a DIFFERENT subnet than your interface address.  Your ip address is in the SAME range.  As a result  you have a built in route for that subnet to the untrust eth0/0 interface already.  When you put the above route into the trust interface you override this build in route and break the nat-dst.

 

You have the proxy arp, address entry and policy all correct as outlined in kb12631.  I believe when you remove this static route it will work.

 

I was curious as to why your default route is not inthe same subnet as your eth0/0 interface.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
New User
Posts: 2
Registered: ‎11-16-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

OK, I tried moving the server to the DMZ zone, and adjusting the policy, and it still does not work.  To be honest, I feel like I am going down a rat hole on this one, because everytime I go back to the documentation it seems to emphasize that the external interface of the firewall needs to be on a separate subnet to the public IP addresses of the servers.  Also, I actually need to configure 4 address translations, not one.  I have two servers, each with two network cards, and I need to configure NAT for all of them.  I keep feeling that MIP is the way to go.  Right now I'm beginning to have fond memories of the old SunScreen product, and I never thought I would say that.  It gave me headaches at the time, but it was simple compared to this.

New User
Posts: 2
Registered: ‎11-16-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

Still no joy.  I'm going to rip out the config and start again tomorrow.  I might give the bidirectional NAT instructions in KB11911 a shot, and see if they work.

Distinguished Expert
Posts: 4,031
Registered: ‎03-30-2009
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

 

Sorry this is turning into such an ordeal for you.  You have the internal address in the DMZ znoe which is fine.  But you have created the public address there too and the policy as  untrust to DMZ.  When the pubic address is in the same subnet as the interface the policy is untrust to untrust.

 

I promise that I have used the procedure outlined in kb12631 for addresses in the same subnet as a public interface and it does work.  The references you see to not being in the same subnet are that you need a different method for the actual interface ip address.  If you need to use this address in port forwarding you can only use the VIP procedures not this policy nat-dst or MIP.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12631

 

For the same subnet the route is a connected automatic route that you do not need to create but you do need to use proxy-arp which you have in this connfiguration. 

 

version 6.3 as you have it
set interface ethernet0/0 proxy-arp-entry 203.147.45.21 203.147.45.24

version 6.2 and earlier
set arp nat-dst

 

The public address object is created in the untrust zone.   These all move to untrust.

 

set address "DMZ" "linux_admin" 203.147.45.24 255.255.255.255
set address "DMZ" "linux_prod" 203.147.45.23 255.255.255.255
set address "DMZ" "windows_admin" 203.147.45.22 255.255.255.255
set address "DMZ" "windows_prod" 203.147.45.21 255.255.255.255

The policy is then untrust to untrust and the internal ip address is entered raw from any connected zone.

 

set policy id 7 name "Translation" from "Untrust" to "DMZ"  "Any" "linux_admin" "ANY" nat dst ip 10.77.40.11 permit log 
Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
Posts: 14
Registered: ‎03-20-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

[ Edited ]

OK, so I tried that, and it didn't work.  Then I tried setting up MIPs, see GSNS_MIPconfig.txt, and that didn't work.  I've tried changing the external interfaces to one of the addresses that I want to use for translation (after removing all the MIPs and policies etc), and pinging the next hop router, but that doesn't seem to be helping.  If I have the ethernet0/0 manage address on 202.143.44.20 and the ethernet0/0 address itself on 202.143.44.24 (see Basic_confg.txt), I can connect to the firewall on the manage IP address, and not on the main address.  I can ping 202.143.44.20, but not 202.143.44.24 from the internet.

 

I think I have pretty much exhausted all possibilities.  This has consumed hours of time to no good effect, and I see no prospect of it ever working.  I suspect that the firewall is not answering ARP requests for anything but the .20 address, and I seem to have no way pratical to fix that.  I do not have access to the data centre, and in any case I am reluctant to implement a solution that involves mucking about trying to manually teach a router that I don't control new ARP entries.  The first time the router gets rebooted, the whole thing will fall apart, and I may not be on hand to fix it.

Visitor
Posts: 4
Registered: ‎03-30-2011
0 Kudos

Re: MIP or proxy ARP configuration, SSG5

[ Edited ]

Hi Melodie,

 

I hit your post because I'm having a horrible time with policy based dst-nat and proxy arp. I need this type of setup because I have many IPs and need to leverage ALG for SIP, but after reading your initial post I think you're sniffing down the wrong path with proxy ARP or MIP for that matter.

 

Everyone howls when they see someone suggest VIP, but it just magically works. Here are the steps in the GUI to setup simple "port forwarding" like you'd expect it to work. I use the GUI mostly, which can be buggy, but it's always worked fine for me.

 

From scratch config:

 

- Ensure the trust interface is setup in NAT, not ROUTE configuration. This is the default, but some people change it immediately. This keeps your trust interface set up as Interface NAT, not policy NAT.

 

- Assign a public IP to the untrust interface using the proper subnet mask

 

- Setup a default route (0.0.0.0/0) through the physical untrust interface to the proper upstream gateway IP

 

- Create a VIP (Interfaces/List/Edit/VIP) that is "Same as the interface IP address" - Do this first before adding any other public IPs from your subnet.

 

- Once the VIPs have been created, create VIP services using the New VIP Service button. This is where you setup the service ports and target IP address. The target can be in the trust or dmz zone.

 

- Once you create your VIPs and VIP services, add a simple policies from Untrust to Trust from ANY to VIP (the VIP addresses will be listed in the drop-down, prefixed with VIP) with traffic/service of ANY. No need to go to the advanced section, the policy is not there to determine traffic type, just allow traffic to move across zones for the VIPs. The VIP Services you've created will determine what traffic for what ports are allowed to move through the router.

 

- If you have VIP service targets in the dmz zone, you may have to setup a simple policy that allows ANY traffic from Trust to DMZ. You will also have to setup a policy to allow traffic from DMZ to Untrust, but this one will have to be source-natted so click the Advanced buttton and check the Source Translastion box with None-Use Egress Port as the DIP setting.

 

Hope that made sense. This has always worked for me for simple remote access setups. There are limitations to the number of VIPs you can setup and the number of VIP services you can setup, but I've rarely had a problem hitting those limits.