Screen OS

Hello, our company signed up with ATT for a T3, so we have a Cisco 2800 router that they manage (we don't have access to it),  but we have our old NS25 that's currently up and running with the old ISP with public addresses, now we wanna move over the network to the new Isp, somehow we're facing a major road block, it was suggested we NAT the inside network and just use one public address to the outside, we tried to get connections going but only got as far as getting the ns25 dhcp to give addresses, but won't connect to the web, the ns25 has 4 ports so the old ISP and current network is on port1 and 3, we were trying to configure 2 and 4 for ATT, we gave the untrusted port the ATT gateway ip and gave trusted 192.168.1.xx, we might be missing something,

 

Can anyone shed any light on this, any pointer would be great, thanks in advanced.

Hi

 

Hmm, did you make sure to get the routes set up?

Also the policies and natting configured?

 

One thing that can help to check all that is to run some test traffic and check the session created:

get sess src-ip X.X.X.X (X is IP for the client)

 

and

get route

 

that will tell us pretty much whats going on.

Thanks for the reply WL, we'll give it a look, I'll keep you posted on my progress.

 

cd

Hi WL here's the output from telnet, how can see what I'm typing, somehow it's disabled, thanks;

 

Remote Management Console
login: admin
password:
ns25-> get sess src-ip 12.54.120.33
alloc 244/max 32064, alloc failed 0, mcast alloc 4294667744, di alloc failed 0
total reserved 0, free sessions in shared pool 31820
Total 0 sessions according filtering criteria.
Total 0 sessions shown
ns25->

Remote Management Console
login: admin
password:
ns25-> get sess src-ip 12.54.120.33
alloc 244/max 32064, alloc failed 0, mcast alloc 4294667744, di alloc failed 0
total reserved 0, free sessions in shared pool 31820
Total 0 sessions according filtering criteria.
Total 0 sessions shown

ns25-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   9      208.36.7.0/24          vlan1         0.0.0.0   C    0      0     Root
*  42    12.54.120.33/32           eth4         0.0.0.0   H    0      0     Root
*  28     192.168.1.1/32           eth2         0.0.0.0   H    0      0     Root
   27     192.168.1.1/32           eth2         0.0.0.0   C    0      0     Root
   41    12.54.120.32/27           eth4         0.0.0.0   C    0      0     Root
*  10      208.36.7.6/32          vlan1         0.0.0.0   H    0      0     Root

ns25->

Hi there

 

Based on this route:

*  42    12.54.120.33/32           eth4         0.0.0.0   H    0      0     Root

It looks like the FW IP is 12.54.120.33 right?

 It looks like you are doing a get session for the FW IP itself?

ns25-> get sess src-ip 12.54.120.33

I think you may need to run the get session again:

get session src-ip X.X.X.X ( X should be the IP of the Client PC you are running the traffic from)

 

Another thing I think is kind of strange is that your ISP IP is tied to vlan 1;

*   9      208.36.7.0/24          vlan1         0.0.0.0   C    0      0     Root

 

Most people use vlan1 in transparent mode actually. Not L3 mode.. I think in that case if you could post the whole config just so we get a better picture?

 

I am pretty sure that the routing is going to be a major factor as you have only host routes in the route table so far. Most of the time, we have a default route to send out the traffic to the internet.

 

I also thought you mentioned that you are using ports 2 and 4 for AT&T? If you want all the traffic to be routed out port4, you can set up a default route:

set route 0.0.0.0/0 int e4 gate X.X.X.X (where X is the gateway that you are sending the traffic to AT&T on)

 

Let me know if I misunderstood what you are trying to do 🙂

 

Based on this route:

*  42    12.54.120.33/32           eth4         0.0.0.0   H    0      0     Root

It looks like the FW IP is 12.54.120.33 right?

This is the ATT gateway IP

 

208.36.7.0/24 

this is our old ISP's IP block

 

vlan1 is the manage port 208.36.7.6, and yes we're set transparent mode. We just wanted to use 2 & 4 so we don't disrupt 1 & 3 (current isp ports), I was hoping to set port 2 (trust port) as NAT(192.168.1.1), and port 4 (untrust) the ATT public IP 12.54.120.33. We wanted to go away with the internal network setup as public IP's. It wasn't that bad when I replaced the old NS with this new NS25, I didn't have to touch the routes since I'm not familiar with routing it just kinda worked with minimal changes to the config, but this ISP migration is not that easy.

 

here's the whole config -

 

set group address "V1-Trust" "Ts clients" add "Norma D"
set group address "V1-Trust" "Ts clients" add "Randy L"
set group address "V1-Trust" "Ts clients" add "shippingleft-dell"
set group address "V1-Trust" "Ts servers"
set group address "V1-Trust" "Ts servers" add "actserver"
set group address "V1-Trust" "Ts servers" add "Appserver"
set group address "V1-Trust" "Ts servers" add "Bacon"
set group address "V1-Trust" "Ts servers" add "cirexxdc"
set group address "V1-Trust" "Ts servers" add "cirexxintl"
set group address "V1-Trust" "Ts servers" add "cirexxintldc"
set group address "V1-Trust" "Ts servers" add "cirexxintldc2"
set group address "V1-Trust" "Ts servers" add "Sharks"
set group address "V1-Trust" "Ts servers" add "Sharks11"
set group address "V1-Trust" "web servers"
set group address "V1-Trust" "web servers" add "actserver"
set group address "V1-Trust" "web servers" add "chrislinux"
set group address "V1-Trust" "web servers" add "chrisweb"
set group address "V1-Trust" "web servers" add "cirexxintl"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set scheduler "Lunch web" recurrent monday start 7:0 stop 11:0 start 13:50 stop 18:30
set scheduler "Lunch web" recurrent tuesday start 7:0 stop 11:0 start 13:50 stop 18:30
set scheduler "Lunch web" recurrent wednesday start 7:0 stop 11:0 start 13:50 stop 18:30
set scheduler "Lunch web" recurrent thursday start 7:0 stop 11:0 start 13:50 stop 18:30
set scheduler "Lunch web" recurrent friday start 7:0 stop 11:0 start 13:50 stop 18:30
set url protocol type sc-cpa
set url protocol sc-cpa
set category "youtube" url "www.youtube.com/"
set profile "Playsites" other block
set profile "Playsites" "youtube" block
set profile "Playsites" "Adult/Sexually Explicit" block
set profile "Playsites" "Advertisements" block
set profile "Playsites" "Arts & Entertainment" permit
set profile "Playsites" "Chat" permit
set profile "Playsites" "Computing & Internet" permit
set profile "Playsites" "Criminal Skills" block
set profile "Playsites" "Drugs, Alcohol & Tobacco" block
set profile "Playsites" "Education" permit
set profile "Playsites" "Finance & Investment" permit
set profile "Playsites" "Food & Drink" permit
set profile "Playsites" "Gambling" block
set profile "Playsites" "Games" block
set profile "Playsites" "Glamour & Intimate Apparel" permit
set profile "Playsites" "Government & Politics" permit
set profile "Playsites" "Hacking" block
set profile "Playsites" "Hate Speech" block
set profile "Playsites" "Health & Medicine" permit
set profile "Playsites" "Hobbies & Recreation" permit
set profile "Playsites" "Hosting Sites" permit
set profile "Playsites" "Job Search & Career Development" permit
set profile "Playsites" "Kids Sites" permit
set profile "Playsites" "Lifestyle & Culture" permit
set profile "Playsites" "Motor Vehicles" permit
set profile "Playsites" "News" permit
set profile "Playsites" "Personals & Dating" block
set profile "Playsites" "Photo Searches" permit
set profile "Playsites" "Real Estate" permit
set profile "Playsites" "Reference" permit
set profile "Playsites" "Religion" permit
set profile "Playsites" "Remote Proxies" block
set profile "Playsites" "Search Engines" permit
set profile "Playsites" "Sex Education" block
set profile "Playsites" "Shopping" permit
set profile "Playsites" "Sports" permit
set profile "Playsites" "Streaming Media" permit
set profile "Playsites" "Travel" permit
set profile "Playsites" "Usenet News" permit
set profile "Playsites" "Violence" block
set profile "Playsites" "Weapons" block
set profile "Playsites" "Web-based Email" permit
exit
set policy id 29 from "V1-Trust" to "V1-Untrust"  "Sales" "craigslist" "HTTP" deny schedule "Lunch web" log
set policy id 29
set dst-address "ebay"
set dst-address "Facebook"
set dst-address "myspace"
set dst-address "youtube"
exit
set policy id 28 from "V1-Trust" to "V1-Untrust"  "Assembly" "craigslist" "HTTP" deny schedule "Lunch web" log
set policy id 28
set dst-address "ebay"
set dst-address "Facebook"
set dst-address "myspace"
set dst-address "youtube"
exit
set policy id 27 from "V1-Trust" to "V1-Untrust"  "eng/prod/cam" "craigslist" "HTTP" deny schedule "Lunch web" log
set policy id 27
set dst-address "ebay"
set dst-address "Facebook"
set dst-address "myspace"
set dst-address "youtube"
exit
set policy id 17 from "V1-Trust" to "V1-Untrust"  "eng/prod/cam" "Any" "FTP" permit log
set policy id 17 application "FTP"
set policy id 17
set src-address "Sales"
exit
set policy id 21 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "SSL" permit log
set policy id 21
exit
set policy id 2 from "V1-Trust" to "V1-Untrust"  "domain controllers" "Any" "MS-EXCHANGE" permit log
set policy id 2 application "SMTP"
set policy id 2
exit
set policy id 4 from "V1-Trust" to "V1-Untrust"  "domain controllers" "Any" "DNS" permit log
set policy id 4 application "DNS"
set policy id 4
exit
set policy id 32 from "V1-Trust" to "V1-Untrust"  "Ts servers" "Any" "HTTP" permit log
set policy id 32 application "HTTP"
set policy id 32
exit
set policy id 13 from "V1-Trust" to "V1-Untrust"  "Assembly" "Any" "HTTP" permit log
set policy id 13 application "HTTP"
set policy id 13
set src-address "eng/prod/cam"
set src-address "Sales"
exit
set policy id 23 from "V1-Untrust" to "V1-Trust"  "Any" "domain controllers" "DNS" permit log
set policy id 23
set service "HTTP"
set service "HTTPS"
set service "IMAP"
set service "POP3"
set service "RDP"
set service "SMTP"
set service "SSH"
set service "MS-EXCHANGE"
set service "MS-IIS"
exit
set policy id 9 from "V1-Untrust" to "V1-Trust"  "Any" "Sales" "FTP" permit log
set policy id 9
set dst-address "web servers"
set service "HTTP"
set service "HTTPS"
set service "SSL"
exit
set policy id 30 from "V1-Trust" to "V1-Untrust"  "Luz-dell" "Any" "insulectro" permit log
set policy id 30
exit
set policy id 14 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "HTTPS" permit log
set policy id 14
exit
set policy id 15 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "POP3" permit log
set policy id 15 application "POP3"
set policy id 15
exit
set policy id 16 from "V1-Trust" to "V1-Untrust"  "domain controllers" "Any" "SMTP" permit log
set policy id 16 application "SMTP"
set policy id 16
exit
set policy id 18 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "RDP" permit log
set policy id 18
exit
set policy id 19 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "SSH" permit log
set policy id 19
exit
set policy id 20 from "V1-Untrust" to "V1-Trust"  "Any" "Ts clients" "RDP" permit log
set policy id 20
exit
set policy id 24 from "V1-Trust" to "V1-Untrust"  "mis-owners" "Any" "ANY" permit
set policy id 24
exit
set policy id 25 from "V1-Untrust" to "V1-Trust"  "Any" "Ts servers" "RDP" permit log
set policy id 25
exit
set policy id 31 name "VNC" from "V1-Untrust" to "V1-Trust"  "Any" "mis-owners" "VNC" permit log
set policy id 31 disable
set policy id 31
exit
set policy id 33 name "Any" from "V2-Trust" to "V2-Untrust"  "Any" "Any" "ANY" permit log
set policy id 33
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ns25->

I didn't see it got cut off here's the beginning part of config

 

ns25-> get config
Total Config size 24386:
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "SSL" protocol tcp src-port 0-65535 dst-port 443-443
set service "insulectro" protocol tcp src-port 0-65535 dst-port 1080-1080
set service "network ass" protocol tcp src-port 0-65535 dst-port 8181-8181
set service "network ass" + tcp src-port 0-65535 dst-port 4445-4445
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nDVYKxrhDXaAcLzFTs6FCUIt2xNE7n"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "V2-Untrust"
set zone id 101 "V2-Trust"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "V2-Untrust" tcp-rst
set zone "V2-Trust" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen unknown-protocol
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen icmp-id
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Trust" screen icmp-flood
set zone "V1-Trust" screen ip-spoofing
set zone "V1-Trust" screen ip-bad-option
set zone "V1-Untrust" screen icmp-flood
set zone "V1-Untrust" screen udp-flood
set zone "V1-Untrust" screen winnuke
set zone "V1-Untrust" screen port-scan
set zone "V1-Untrust" screen ip-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ip-spoofing
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "V1-Untrust" screen unknown-protocol
set zone "V1-Untrust" screen ip-bad-option
set zone "V1-Untrust" screen icmp-fragment
set zone "V1-Untrust" screen icmp-large
set zone "V1-Untrust" screen syn-ack-ack-proxy
set zone "V1-Untrust" screen icmp-id
set interface "ethernet1" zone "V1-Trust"
set interface "ethernet2" zone "V2-Trust"
set interface "ethernet3" zone "V1-Untrust"
set interface "ethernet4" zone "V2-Untrust"
set interface vlan1 ip 208.36.7.6/24
set interface vlan1 nat
set interface ethernet2 ip 192.168.1.1/32
set interface ethernet2 route
set interface ethernet4 ip 12.54.120.33/27
set interface ethernet4 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet4 ip manageable
set interface ethernet2 manage ping
set interface ethernet2 manage telnet
set interface ethernet2 manage snmp
set interface ethernet2 manage ssl
set interface ethernet2 manage web
set interface ethernet4 manage ping
set interface ethernet4 manage ssh
set interface ethernet4 manage telnet
set interface ethernet4 manage snmp
set interface ethernet4 manage ssl
set interface ethernet4 manage web
set interface ethernet2 dhcp server service
set interface ethernet4 dhcp server service
set interface ethernet2 dhcp server enable
set interface ethernet4 dhcp server enable
set interface ethernet2 dhcp server option lease 1440000
set interface ethernet2 dhcp server option gateway 192.168.1.1
set interface ethernet2 dhcp server option netmask 255.255.255.0
set interface ethernet2 dhcp server option dns1 12.127.17.71
set interface ethernet2 dhcp server option dns2 12.127.17.72
set interface ethernet4 dhcp server option lease 1440000
set interface ethernet4 dhcp server option gateway 12.54.120.33
set interface ethernet4 dhcp server option netmask 255.255.255.224
set interface ethernet4 dhcp server option dns1 12.127.17.71
set interface ethernet4 dhcp server option dns2 12.127.17.71
set interface ethernet2 dhcp server ip 192.168.1.100 to 192.168.1.105
unset interface ethernet2 dhcp server config next-server-ip
unset interface ethernet4 dhcp server config next-server-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain cirexx.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 12.127.17.71 src-interface ethernet2
set dns host dns2 12.127.17.72 src-interface ethernet2
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address "V1-Trust" "actserver" 208.36.7.121 255.255.255.255
set address "V1-Trust" "Alex H" 208.36.7.237 255.255.255.255
set address "V1-Trust" "aoi-xp" 208.36.7.44 255.255.255.255
set address "V1-Trust" "Appserver" 208.36.7.122 255.255.255.255
set address "V1-Trust" "ArmandoXP" 208.36.7.157 255.255.255.255
set address "V1-Trust" "Auditor" 208.36.7.169 255.255.255.255
set address "V1-Trust" "B Horner" 208.36.7.186 255.255.255.255
set address "V1-Trust" "Bacon" 208.36.7.83 255.255.255.255
set address "V1-Trust" "Billy L" 208.36.7.193 255.255.255.255
set address "V1-Trust" "cam0" 208.36.7.109 255.255.255.255
set address "V1-Trust" "cam1" 208.36.7.108 255.255.255.255
set address "V1-Trust" "cam2" 208.36.7.102 255.255.255.255
set address "V1-Trust" "cam3" 208.36.7.105 255.255.255.255
set address "V1-Trust" "cam4" 208.36.7.112 255.255.255.255
set address "V1-Trust" "cam5" 208.36.7.114 255.255.255.255
set address "V1-Trust" "camtek-vista" 208.36.7.228 255.255.255.255
set address "V1-Trust" "camtek-xp" 208.36.7.183 255.255.255.255
--- more ---

hmm so essentially what you are trying to do is to run the firewall in both L2 and L3 mode. I gotta tell you though, thats not going to be a supported configuration.

When you set up the config as:

set interface ethernet2 ip 192.168.1.1/32
set interface ethernet2 route
set interface ethernet4 ip 12.54.120.33/27
set interface ethernet4 route

 

It turns the FW into L3 mode as can be seen when you do:

ssg5-isdn-wlan-> get sys | i mode
System in NAT/route mode.

 

Also, did you check to see if the PC got an IP address properly? I think you can try the eth2  configuration with a /29 mask instead of 32.

EG:

set int e3 ip 192.168.1.97/29 and you can have the scope to dish out from 192.168.1.98-102 with the gateway as 192.168.1.97.

 

Since both interfaces are still in "route" mode, you pretty much need to configure nat on the policy:

set policy id 33 name "Any" from "V2-Trust" to "V2-Untrust"  "Any" "Any" "ANY" nat src permit log

 

Also, I think you are still going to have an issue with the routes, but try to check the above stuff first and get some traffic to hit the firewall first. Can you run and post the debugs:

 

i) check the pc to see whats the IP (let IP be X)

--> Try to surf internet

get session src-ip X

 

If there is no output, try to run some debugs:

set ff src-ip X.X.X.X

set ff dst-ip X.X.X.X

debug flow basic

--> try to surf

--> Press ESC to stop the debug

get db str (to view debug)

 

 

Yeah looks like it's in that mode, and DHCP worked on the eth2(trusted);

 

Remote Management Console
login: admin
ns25-> get sys | i mode
get sys | i mode
System in NAT/route mode.
  number 0, if_info 0, if_index 0, mode xparent, port vlan 1
  number 5, if_info 1040, if_index 0, mode route
  number 6, if_info 1248, if_index 0, mode xparent, port vlan 1
  number 7, if_info 1456, if_index 0, mode route

 

So can we just make the ATT connection setup just the old ISP (in transparent), that means we can't NAT the inside anymore right.
I'm trying to find a better way to migrate over, let me try that command you suggested on the eth2, thanks

 

carlo
     

Not sure if I got your qn. Should be able to have nat as long as you have the policy set up to do the natting (cos you are using custom zones) if you are using the default trust to untrust, having the trust interface in nat mode automatically has the natting done for you.

Hi WL, well I tried this command;

set policy id 33 name "Any" from "V2-Trust" to "V2-Untrust"  "Any" "Any" "ANY" nat src permit log

I can only pick up an address from port 2's dhcp (192.168.1.xx), but can't ping 12.54.120.33, the weird thing is, I can ping 12.54.120.33 from our old network (208.36.7.xx), but using a seperate switch straight to port2 of F/W only gets local network.

Here's the route again, any ideas.

 

ns25-> get route
get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   9      208.36.7.0/24          vlan1         0.0.0.0   C    0      0     Root
*  42    12.54.120.33/32           eth4         0.0.0.0   H    0      0     Root
*  28     192.168.1.1/32           eth2         0.0.0.0   H    0      0     Root
*  27     192.168.1.1/32           eth2         0.0.0.0   C    0      0     Root
*  41    12.54.120.32/27           eth4         0.0.0.0   C    0      0     Root
*  10      208.36.7.6/32          vlan1         0.0.0.0   H    0      0     Root

ns25->

Well from the old network, my guess is that you have another device doing the L3 routing for you when you ping.

On the FW with the switch directly connected, I think the FW does not know how to route back to the 192.168.1.1 subnet. This is by virtue of the subnet mask configured on the interface:

*  28     192.168.1.1/32           eth2         0.0.0.0   H    0      0     Root
*  27     192.168.1.1/32           eth2         0.0.0.0   C    0      0     Root

Its a /32 route. So for the FW it does not have a route to return the packets back to the 192.168.1.1 subnet. Try and change the subnet mask if posb

I gave it a /29 subnet and got same results, just local no web. almost like 2 & 4 doesn't connect to each other. Pullin hair here, lol

 

 

   ethernet1 0.0.0.0/0 V1-Trust Layer2 Up - Edit

   ethernet2 192.168.1.1/29 V2-Trust Layer3 Up - Edit

   ethernet3 0.0.0.0/0 V1-Untrust Layer2 Up - Edit

   ethernet4 12.54.120.33/27 V2-Untrust Layer3 Up  Edit

   vlan1 208.36.7.6/24 VLAN Layer3 Up - Edit    

I think you can set up a route for the traffic but this may affect your existing traffic:

set route 0.0.0.0/0 int e4 gate X.X.X.X (X is the IP address to be routed to)

 

I recommend if you can access the fw via CLI and run the debugs. Its kind of like a snapshot to check whats wrong instead of pulling your hair!!

 

set ff src-ip X.X.X.X

set ff dst-ip X.X.X.X (X is IP of your client)

debug flow basic

--> try to surf

--> Press esc to stop the debug

get db str (Pls post the output)

 

I am pretty sure its the route but the debug will cfm.

Hi WL, I'm gonna call it a day for now, might be able to come in tomorrow morning and try and get this working, then we can afford downtime if we need to and won't piss anyone off. I appreaciate your help, I will try those things you suggested and post results.

 

carlo

cool, hopefully everything will work fine 🙂

Hi WL, I went and tried this command-

set route 0.0.0.0/0 int e4 gate X.X.X.X (X is the IP address to be routed to)

 

and here's our route-

 

ns25-> get  route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   9      208.36.7.0/24          vlan1         0.0.0.0   C    0      0     Root
*  46    12.54.120.34/32           eth4         0.0.0.0   H    0      0     Root
*  44     192.168.1.1/32           eth2         0.0.0.0   H    0      0     Root
*  43     192.168.1.0/29           eth2         0.0.0.0   C    0      0     Root
*  45    12.54.120.32/27           eth4         0.0.0.0   C    0      0     Root
*  10      208.36.7.6/32          vlan1         0.0.0.0   H    0      0     Root

ns25->

 

we pick up dhcp addresses from eth2 in the 192 range, we can ping the gateway 12.54.120.33, still can't get to the web, so here's the debug info.

 

Remote Management Console
ns25-> set ff src-ip 12.54.120.33
set ff src-ip 12.54.120.33
filter added
ns25-> set ff dst-ip 192.168.1.1
set ff dst-ip 192.168.1.1
filter added
ns25-> debug flow basic
debug flow basic
ns25-> get db str
get db str
****** 12597706.0: <Self/self> packet received [65]******
  ipid = 775(0307), @024bc2b4
flow_self_vector2: send pack with current vid =0, enc_size:0
  processing packet through normal path.
  packet passed sanity check.
  self:192.168.1.1/23->192.168.1.3/58037,6<Root>
  existing session found. sess token 8
  flow got session.
  flow session id 30741
  skip ttl adjust for packet from self.
  post addr xlation: 192.168.1.1->192.168.1.3.
  search route to (null, 0.0.0.0->192.168.1.3) in vr trust-vr for vsd-0/flag-101
 no route to (0.0.0.0->192.168.1.3) in vr trust-vr/0
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 00044b072b1d through ethernet2
****** 12597706.0: <V2-Trust/ethernet2> packet received [40]******
  ipid = 18115(46c3), @c7d2e910
  packet passed sanity check.
  ethernet2:192.168.1.3/58037->192.168.1.1/23,6<Root>
  existing session found. sess token 34
  flow got session.
  flow session id 30741
--- more ---
  packet is for self, copy packet to self
--- more ---
copy packet to us.
--- more ---
****** 12597746.0: <V2-Trust/ethernet2> packet received [50]******
--- more ---
  ipid = 18176(4700), @c7d25910
--- more ---
  packet passed sanity check.
--- more ---
  ethernet2:192.168.1.3/58037->192.168.1.1/23,6<Root>
--- more ---
  existing session found. sess token 34
--- more ---
  flow got session.
--- more ---
  flow session id 30741
--- more ---
  packet is for self, copy packet to self
--- more ---
copy packet to us.
--- more ---
****** 12597746.0: <V2-Trust/ethernet2> packet received [42]******
--- more ---
  ipid = 18177(4701), @c7d26110
--- more ---
  packet passed sanity check.
--- more ---
  ethernet2:192.168.1.3/58037->192.168.1.1/23,6<Root>
--- more ---
  existing session found. sess token 34
--- more ---
  flow got session.
--- more ---
  flow session id 30741
--- more ---
  packet is for self, copy packet to self
--- more ---
copy packet to us.
--- more ---
****** 12597746.0: <Self/self> packet received [40]******
--- more ---
  ipid = 792(0318), @024bb524
--- more ---
flow_self_vector2: send pack with current vid =0, enc_size:0
--- more ---
  processing packet through normal path.
--- more ---
  packet passed sanity check.
--- more ---
  self:192.168.1.1/23->192.168.1.3/58037,6<Root>
--- more ---
  existing session found. sess token 8
--- more ---
  flow got session.
--- more ---
  flow session id 30741
--- more ---
  skip ttl adjust for packet from self.
--- more ---
  post addr xlation: 192.168.1.1->192.168.1.3.
--- more ---
  search route to (null, 0.0.0.0->192.168.1.3) in vr trust-vr for vsd-0/flag-101
--- more ---
 no route to (0.0.0.0->192.168.1.3) in vr trust-vr/0
--- more ---
 flow_send_vector_, vid = 0, is_layer2_if=0
--- more ---
  packet send out to 00044b072b1d through ethernet2
--- more ---
****** 12597746.0: <Self/self> packet received [40]******
--- more ---
  ipid = 793(0319), @024bb524
--- more ---
flow_self_vector2: send pack with current vid =0, enc_size:0
--- more ---
  processing packet through normal path.
--- more ---
  packet passed sanity check.
--- more ---
  self:192.168.1.1/23->192.168.1.3/58037,6<Root>
--- more ---
  existing session found. sess token 8
--- more ---
  flow got session.
--- more ---
  flow session id 30741
--- more ---
  skip ttl adjust for packet from self.
--- more ---
  post addr xlation: 192.168.1.1->192.168.1.3.
--- more ---
  search route to (null, 0.0.0.0->192.168.1.3) in vr trust-vr for vsd-0/flag-101
--- more ---
 no route to (0.0.0.0->192.168.1.3) in vr trust-vr/0
--- more ---
 flow_send_vector_, vid = 0, is_layer2_if=0
--- more ---
  packet send out to 00044b072b1d through ethernet2
--- more ---
ns25->

Hi WL, we somehow figured it out, my co-hort was playing around in the routing settings under source and he added this entry and we're now on the web -

 

Remote Management Console

ns25-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (6 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   9      208.36.7.0/24          vlan1         0.0.0.0   C    0      0     Root
*  58    12.54.120.34/32           eth4         0.0.0.0   H    0      0     Root
*  44     192.168.1.1/32           eth2         0.0.0.0   H    0      0     Root
*  43     192.168.1.0/29           eth2         0.0.0.0   C    0      0     Root
*  57    12.54.120.32/27           eth4         0.0.0.0   C    0      0     Root
*  10      208.36.7.6/32          vlan1         0.0.0.0   H    0      0     Root

ns25-> get route source
get route source
S: Static P: Permanent

Src-Routes for <trust-vr> (1 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   1     192.168.1.0/29           eth4    12.54.120.33   S   20      1     Root

ns25->

Hi

 

Cool, that's great that its finally working! 🙂

Yeah I'm glad we got that part figured out, but now we want to use the same network ip block that's from the old ISP (208.36.7.0) and route to the ATT gateway, cause inside we have DNS, DC's, web servers running on that IP block, we should be able to do that right, move over the current network to the new one. So the 208 addresses will become 12.54.120.xx outside. We've never been down this ave before so, just wanted to get a plan down.

 

carlo

hm, not sure I got your qn? You just want to migrate your ISP link to the 12.x subnet right? Based on the old configuration, thats going to be fine.

But you want to keep some of your 208.x stuff?

Yeah basically here, our old network is on eth1 & 3 in transparent mode, our current ip's are public and wanna go nat;

   ethernet1 0.0.0.0/0 V1-Trust Layer2 Up - Edit

   ethernet2 192.168.1.1/29 V2-Trust Layer3 Up - Edit

   ethernet3 0.0.0.0/0 V1-Untrust Layer2 Up - Edit

   ethernet4 12.54.120.33/27 V2-Untrust Layer3 Up  Edit

   vlan1 208.36.7.6/24 VLAN Layer3 Up - Edit

 

so we wanna do is change over eth1 to 208.36.7.xx address, just so we don't have to mess with the current internal network, servers and some production machines are in that subnet. We just used eth 2 & 4 to test it. So we change eth1 to 208.36.7.0/32 and add the source route as well.

 

carlo

Hi WL, got a question, can we use any of the ip blocks from ATT and use that to match an inside IP address and NAT it,

ex. 192.168.1.2 > 12.54.120.2 and so on. Thanks

 

carlo

Hi

 

Yes, we can do that. We would just need to configure a MIP for that. MIP does one-to-one bidirectional mapping.

 

Heres a pretty good explanation for it;

http://kb.juniper.net/index?page=content&id=KB12835&actp=search&searchid=1239737373306

 

I think there is also a NAT starter guide posted on this forum if you need more stuff on natting:

http://kb.juniper.net/KB11909

 

Let me know if you cant view the stuff

Thanks WL, we'll give it a read.

 

carlo

Hi WL, question, do we need to setup vlan1 on eth2 & 4, just trying to compare settings, we have that on the current network eth1 & 3, (in transparent mode), we re-did it again from scratch cause there were slowdowns on some sites.

Actually in transparent mode you will need to vlan1 for managment purpose etc, etc. I dont think you are going to be able to configure another one for the actual L3 stuff you are trying to do.

 

Will you be arunning the FW in L2 and L3 together? It could cause some other issues if the routing is not set up properly though..

 I see, this is kinda tough cause the current network is that way, and we're trying to setup the other 2 ports another way, we're kinda doing this like a parallel setup, how are we gonna do this migration if those modes aren't supported together, should we get another FW? can we go tranparent also on the new one but will we be able to use NAT? Once we figure out some of the steps, we wanna come in on a weekend and change it over, but wanna make sure we're doing it right.

hmmm, so what you are doing is somthing like this:

 

Trust (dhcp for users on 192.168.X.X net) --------FW-----------(unstrust) public ip-----Internet

                                                                                   ------------(dmz) public ip --------Internet

 

If it is then pretty much you can do the FW totally in L3 mode. It would simplify alot of stuff for you if you do it that way. So all of your users would then be in a private subnet.

 

Not sure if this is going to fit all your requirements though

This is is but without the dmz(no dmz port on ns25) and keeping old ip's

 

Trust (dhcp for users on 192.168.X.X net) --------FW-----------(unstrust) public ip-----Internet

                                              ^

                                    we wanna keep the old ip's from old isp (208.36.7.x)

Hi WL, I think we got it figured out, we're able to setup MIP(192.xx inside > 12.xx outside), we just need to unplug the old network, cause it's not letting us have two 208.36.7.x network entries in the interfaces. We'll give it a test run at the end of the day, but I think we got it tackled. Thanks for all your help.

thats great! 🙂