Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Outbound traffic source IP is juniper IP and not MIP ip

    Posted 07-21-2014 09:30

    Hi All,

     

    I have a situation that I am struggling to resolve. I have a single static IP from my ISP and a seperate block of IPs that I use for MIPs for my email servers. Outbound traffic from my email servers is all showing the single static IP as the source instead of the MIP. 

     

    To configure the MIPs for my email servers I created a loopback interface in the same zone as the single static IP

     

    Static IP1 50.50.50.82/30

    Static IP block 50.50.60.64/27

     

    In message headers all outbound email show IP 50.50.50.82 as source IP instead  of (for example) 50.50.60.69 for email server #1 or 50.50.60.70 for email server #2.

     

    Is this something that can be solved with the way I have everything setup with the loopback interface? Any assistance will be greatly appreciated. As is stands right now, when one email user gets hacked and sends spam. 7 different email servers get blacklisted since they all appear to be coming from the same IP.

     

    Thanks!!



  • 2.  RE: Outbound traffic source IP is juniper IP and not MIP ip
    Best Answer

    Posted 07-21-2014 13:02
    Try adding the interface with the static IP to the loopback group of the loopback interface with the MIP


  • 3.  RE: Outbound traffic source IP is juniper IP and not MIP ip

    Posted 07-21-2014 14:50

    Confirm that your interfaces are all in "route" mode and not "nat" mode.  Internet traffic can be automatically nat egress inferface if the "nat" mode on the interface is enabled.



  • 4.  RE: Outbound traffic source IP is juniper IP and not MIP ip

    Posted 07-22-2014 08:05

    I spent last night reading a few of the NAT chapters in the ScreenOS manual. There are a few changes that I have made to hopefully get this situation under control

     

    #1 my Public IPs were in a custom VR and custom zone named comcast. I used NSM to change them to the trust-vr and the untrust Zone.

     

    I changed all the private interfaces, public interfaces, and loopback interfaces to route mode. (some were in NAT mode)

     

    to get to the internet I have to use source based on public interface for traffic to pass, so I think I am getting close. I have some more config tests to run and now will add Loopback groups to the mix to see if that helps get me to the solution.

     

    Will post once i make more progress



  • 5.  RE: Outbound traffic source IP is juniper IP and not MIP ip

    Posted 07-22-2014 08:59

    Thank you both for your assitance, changing the interfaces to route mode and adding the interface with the public IP to the loopback group was the solution. Emails are now going out by the MIP IP and we are no longer getting blaclisted!!!

     

     



  • 6.  RE: Outbound traffic source IP is juniper IP and not MIP ip

    Posted 07-22-2014 13:46

    Glad to here you have it all cleared up.



  • 7.  RE: Outbound traffic source IP is juniper IP and not MIP ip

    Posted 08-02-2015 06:45

    Hi, 

     

    I have the same probem with netscreen SSG320.

     

    Interface 0/0 in configured with PPPoE internet connection and default route is pointed to this.

     

    Interface 0/1 is configured with Leased line (Static IP 1.1.1.2/30) and ISP side is 1.1.1.1/30

     

    I have an email server 10.10.10.10/32. 

     

    I have created a source route from 10.10.10.10/32 to be routed via gateway 1.1.1.1/32

     

    Same time I have configured MIP in Int 0/1 poining the additional IPs we got from ISP 2.2.2.2 host 10.10.10.10.

     

    Created relevant Trust to Untrust policies.

     

     

    Now, incoming emails are fine. But when we send outgoing email, email header shows, source IP is Leased line IP 1.1.1.2. But We should get MIP IP 2.2.2.2

     

    Please suggest any help