Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Problem about the Routing of SSG140

    Posted 12-19-2012 20:47

    Hello everyone,  I have a doubt about the route forwarding, hoping to get everyone's help, Thanks!

     

    Sorry for my bad English~~

    Here is a simple topology description(The Ip Address is not Really, just for example):

    {Client:[ PC with IP 3.3.3.3]}|----|{Internet Cloud--[ISP Router with IP 4.4.4.4]}|----|{Company:[Juniper SSG140 with OutsideIP:4.4.4.5,DmzIP:192.168.1.1]--[DmzServer:192.168.1.2]}

     Now:

    1. There is nothing Route except DirectedConnected or Host Route on SSG140

    2. DmzServer publishing its Web Service By using SSG140's VIP (Eg:4.4.4.6:80)

    3. Set Policy from Untrust To DMZ permit any client to access DmzServer

    3. Access http://4.4.4.6 from Client , it work!!

     

    According to my understanding, There is no route to match 192.168.1.2->3.3.3.3,  the access request should not be successful, but it worked, Why???

     

    I guess maybe The SSG140 has the features just like Cisco CEF or  Something Routing Over Lay2(eg:FabricPath), Anyone has idea ? Thanks! Sorry for my bad English again!

     

     



  • 2.  RE: Problem about the Routing of SSG140

    Posted 12-19-2012 21:01

    I using the CLI command "Get Session",  I saw Something just like "IF6:(is it Interface Number ?)" and "xxxxxxxxxxxx(The Mac Address of ISP Router)" , So is that possible SSG140 using The request inbound Interface or The Mac Address of ISP  Gateway To return the respond ???

     

    I try to find the answer in the Juniper manual, but failed~~~ Anyone has the Idea? Thanks!



  • 3.  RE: Problem about the Routing of SSG140

    Posted 12-19-2012 21:10

    By the way , All of the Interfaces working on Route Mode, no Nat. Thanks.



  • 4.  RE: Problem about the Routing of SSG140
    Best Answer

    Posted 12-19-2012 23:54

    Hi,

     

    This is explained in the CLI reference guide (set flow reverse-route

    { clear-text { always | prefer } | tunnel { always | prefer } command):

     

    clear textUsed with the unset command, specifies that reverse

    route lookup during session creation is not performed. Instead,

    traffic arriving in the reverse direction is sent back using the cached

    MAC address.

     

    clear text alwaysPerform reverse route lookup during session

    creation. If no route is found, traffic arriving in the reverse direction

    is dropped.

     

    clear text preferPerform reverse route lookup during session

    creation. If a route is found, use that route. If no route is found,

    traffic arriving in the reverse direction is sent back using the cached

    MAC address. This is the default.



  • 5.  RE: Problem about the Routing of SSG140

    Posted 12-20-2012 00:43

    Thanks, Edouard! Your answer is helpful!!!



  • 6.  RE: Problem about the Routing of SSG140

    Posted 12-20-2012 14:11

    This often suprises people. Wellcome in the word of statefull packet handling!