Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  MIP to private address problem on SSG5

    Posted 09-22-2017 19:05

    Hi all,

    I am having a problem about connection from private IP address to internet with SSG5.

    My configuration on SSG5 is that I have a private IP address (10.192.10.100) in trust zone. Then I set one policy from trust zone to Internet with MIP serviced remote desktop with public IP address (113.160.xxx.xxx). actually I have 4 public IP address, each of them I set for one service accordingly.

    My network connection as below:

    ISP converter <---> SSG5 <-----> Switch  <------>  PC

    My problem: if I set my pc with IP address is 10.192.10.100. So my PC cannot access internet.

    I can PING to internet but reply by request time out:

    C:>\ping yahoo.com

    Pinging yahoo.com [98.139.180.149] with 32 bytes of data:

    Request timed out.

    But with any IP address 10.192.10.x is still connect as normal without 10.192.10.100

    I cannot find the reason come from where.

    Please help me.



  • 2.  RE: MIP to private address problem on SSG5

    Posted 09-22-2017 20:11

    Hi,

     

    I understand that 10.192.10.100 is unable to connect to the Internet. The same PC connects fine if it uses any different private IP. we will need some information to figure this out:

     

    1: The working private IP is using the same public IP?

    2: What is the MIP configuration when it's working and when it's not working. You can use x.x.x.x or y.y.y.y instead of your public IP. 

    get config | in mip   <-- in working

    get mip all

    get config | in mip <-- in non-working

    get mip all

    3: You can also check the session when it's working and when it's failing:

      Initiate a contineous ping and check below:

       get session src-ip 10.192.10.100 dst-ip <public ip that your are pinging> protocol 1  <-- for now working

       get session src-ip <working private ip> dst-ip <public ip that your are pinging> protocol 1 <-- for  working

     

    YOu can also refer https://kb.juniper.net/InfoCenter/index?page=content&id=KB10923&actp=METADATA to check MIP config etc.

     

    Thanks,

    Vikas

     

     



  • 3.  RE: MIP to private address problem on SSG5

    Posted 09-22-2017 21:48

    Hi Vikas,

     

    I have checked the Policy for this MIP again.

    It is a bit abnormal from trust to untrust. due to the policy with source from 10.192.0.0/16 t0 ANY.

    when I disable it. It is fine connection internet.

     

    Thank you so much!



  • 4.  RE: MIP to private address problem on SSG5
    Best Answer

    Posted 09-22-2017 22:17

    Hi,

     

    Mainly, the policy should avoid any NAT overlap and should be specific to the traffic's source/destination/service. Also, the first matching rule is invoked first.

     

    THanks,

    Vikas