Screen OS

I am having trouble visualizing your setup.

I think you are saying that your public vdi address is completely off your network.  Meaning your are using destination nat to convert the private address to the public address and sending the result to the general internet.

If that is the case, you also need to add interface source nat to that policy so that the internal address is routable on the internet.  You can have both source and destination nat on the same policy.

Thanks spuluka for the reply.

Basically, what I am trying to do is nat a destionation address of 10.20.33 (non routable) to 217.2.4.10 (on the internet) from 192.168.16.0/24 network.

And you are right, the public vdi IP is not in the same subnet as my public IP.

The problem is that 10.0.20.33 is in my dns server on a network joined by a WAN connection.

I created a policy, with a source from 192.168.16.0/24 to destinatione 10.0.20.33, went into advance and check the nat-dst box and entered 217.2.4.10.

When I check the log, it shows the destination as 10.0.20.33 and the natted address as 10.0.20.33. It is basicalling ignoring the policy.

Any help would be appreciated.

Thanks

Hi,

10.0.20.33 should be routed to Internet and be defined as an object in Untrust zone. If this does not work just configure a MIP on the ingress interface.

Can you please help with the clarification on creating an object in the untrusted zone?

I created the policy to route 10.0.20.33 to the internet already but as for creating the object, where should I do that?

I tried adding it as MIP, that did not work. Created the object in the zones under Network, still did not work.

Any step-by-step instructions would be appreciated.

thanks

Hi,

The path to the object definitions looks this way (ScreenOS 6.3):

Policy-->Policy Elements-->Addresses-->List

Select the zone from the drop-down menu and click the button "New" to create a new object in the zone.

Thanks Edouard.

I have an object already defined using the ip of 10.0.20.33 and in the untrusted zone.

Then I created a policy using source as 192.168.16.100 (my test machine) and destination as the objected created above.

Then I click advance in the policy window and checked the box by destination translation and input the public ip of the vdi 119.56.46.xx.

Saved it with logging enabled.

When I try it on the system, it timeout and here is the log

Date/Time [Source Address/Port] [Destination Address/Port] [Translated Source Address/Port] [Translated Destination Address/Port] [Service] [Duration] [Bytes Sent] [Bytes Received] [Close Reason]

I dont know what else to do. I shd be working now but no luck.

Any help would be appreciated.

Felix

Hi Felix,

Please run a debug and attach it's output to your next post. The commands are:

undeb all

cl db

set ffilt src-ip 192.168.16.110 dst-ip 10.0.20.33

deb flow bas

... try to connect

undeb all

unset ffilt

Sorry, I forgot the command "get db stream"

Hi

Here is the output of the debug

Thanks for your assistance.

==============================================

van-pbhk-r-> get db st
****** 810422.0: <Trust/bgroup0> packet received [52]******
ipid = 20411(4fbb), @03940450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63742->10.0.20.33/443,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
[ Dest] 7.route 192.168.16.110->0.0.0.0, to bgroup0
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.16.110->10.0.20.33) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 19 for 10.0.20.33
[ Dest] 19.route 10.0.20.33->216.18.65.50, to ethernet0/0
routed (x_dst_ip 10.0.20.33) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.20.33, port 443, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: wildcard pid/index 18/0, hw pid/index 1/7
swrs_search_ip: policy matched id/idx/action = 18/0/0x9
Permitted by policy 18
found reversed mip/vip 216.18.65.49 for 192.168.16.110 (on ethernet0/0)
hip xlate: 192.168.16.110->216.18.65.49 at ethernet0/0 (vs. ethernet0/0)
choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 49, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/0>
existing vector list 3-4293f2c.
Session (id:6448) created for first pak 3
flow_first_install_session======>
route to 216.18.65.50
cached arp entry with MAC 00d0c0a9b400 for 216.18.65.50
arp entry found for 216.18.65.50
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.0.20.33->192.168.16.110) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
cached route 7 for 192.168.16.110
[ Dest] 7.route 192.168.16.110->192.168.16.110, to bgroup0
route to 192.168.16.110
cached arp entry with MAC 002264f869f8 for 192.168.16.110
arp entry found for 192.168.16.110
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp ethernet0/0
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810422.0: <Trust/bgroup0> packet received [52]******
ipid = 20421(4fc5), @03950450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63743->10.0.20.33/443,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
[ Dest] 7.route 192.168.16.110->0.0.0.0, to bgroup0
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.16.110->10.0.20.33) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 19 for 10.0.20.33
[ Dest] 19.route 10.0.20.33->216.18.65.50, to ethernet0/0
routed (x_dst_ip 10.0.20.33) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.20.33, port 443, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: wildcard pid/index 18/0, hw pid/index 1/7
swrs_search_ip: policy matched id/idx/action = 18/0/0x9
Permitted by policy 18
found reversed mip/vip 216.18.65.49 for 192.168.16.110 (on ethernet0/0)
hip xlate: 192.168.16.110->216.18.65.49 at ethernet0/0 (vs. ethernet0/0)
choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 49, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/0>
existing vector list 3-4293f2c.
Session (id:7941) created for first pak 3
flow_first_install_session======>
route to 216.18.65.50
cached arp entry with MAC 00d0c0a9b400 for 216.18.65.50
arp entry found for 216.18.65.50
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.0.20.33->192.168.16.110) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
cached route 7 for 192.168.16.110
[ Dest] 7.route 192.168.16.110->192.168.16.110, to bgroup0
route to 192.168.16.110
cached arp entry with MAC 002264f869f8 for 192.168.16.110
arp entry found for 192.168.16.110
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 7941
flow_main_body_vector in ifp bgroup0 out ifp ethernet0/0
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810425.0: <Trust/bgroup0> packet received [52]******
ipid = 20466(4ff2), @038d2c50
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63742->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810425.0: <Trust/bgroup0> packet received [52]******
ipid = 20470(4ff6), @038e7450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63743->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 7941
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810431.0: <Trust/bgroup0> packet received [48]******
ipid = 20580(5064), @03883450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63742->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810431.0: <Trust/bgroup0> packet received [48]******
ipid = 20584(5068), @0389c450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63743->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 7941
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810443.0: <Trust/bgroup0> packet received [52]******
ipid = 20786(5132), @03863450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63744->10.0.20.33/443,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
[ Dest] 7.route 192.168.16.110->0.0.0.0, to bgroup0
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.16.110->10.0.20.33) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 19 for 10.0.20.33
[ Dest] 19.route 10.0.20.33->216.18.65.50, to ethernet0/0
routed (x_dst_ip 10.0.20.33) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.20.33, port 443, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: wildcard pid/index 18/0, hw pid/index 1/7
swrs_search_ip: policy matched id/idx/action = 18/0/0x9
Permitted by policy 18
found reversed mip/vip 216.18.65.49 for 192.168.16.110 (on ethernet0/0)
hip xlate: 192.168.16.110->216.18.65.49 at ethernet0/0 (vs. ethernet0/0)
choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 49, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/0>
existing vector list 3-4293f2c.
Session (id:6448) created for first pak 3
flow_first_install_session======>
route to 216.18.65.50
cached arp entry with MAC 00d0c0a9b400 for 216.18.65.50
arp entry found for 216.18.65.50
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.0.20.33->192.168.16.110) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
cached route 0 for 192.168.16.110
add route 7 for 192.168.16.110 to route cache table
[ Dest] 7.route 192.168.16.110->192.168.16.110, to bgroup0
route to 192.168.16.110
cached arp entry with MAC 000000000000 for 192.168.16.110
add arp entry with MAC 002264f869f8 for 192.168.16.110 to cache table
arp entry found for 192.168.16.110
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp ethernet0/0
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810446.0: <Trust/bgroup0> packet received [52]******
ipid = 20804(5144), @03909c50
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63744->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.
****** 810452.0: <Trust/bgroup0> packet received [48]******
ipid = 20813(514d), @03946450
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.16.110/63744->10.0.20.33/443,6<Root>
existing session found. sess token 3
flow got session.
flow session id 6448
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x3, vector addr 0x1ff2a38, orig vector 0x1ff2a38
post addr xlation: 216.18.65.49->10.0.20.33.

=================================================

Hi,

The explanation of this phenomenon is here:

found reversed mip/vip 216.18.65.49 for 192.168.16.110 (on ethernet0/0)

The dst-nat does not work for the connections established from a host if the last is the host part of a MIP defined on the egress interface.
Do not ask me why. This might be a bug or per design so, something like "too much NATs for a packet" or "too complex  NAT".

If you try the same from any other PC (not 192.168.16.110) the NAT will work, provided that the PC's IP is not the host part of a MIP definition.

... generally MIP overrides the policy src-nat if a mipped host establishes an outgoing connection. The src-nat is ignored and the MIP is used as the source IP. This is a good known and documented fact. But, apparently, the MIP also ignores the policy dst-NAT as well.

Thank you very much Edouard.

Your help is well appreciated.