Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Problem acheiving bidirectional translation with MIP!

    Posted 01-06-2009 04:54

    Hello Forum!

    Excuse me if my question is a repeat, but the matter is that I have been following instructions from similar topics from this forum, but no success yet!

    I have SSG-350M (6.0.0.r4). On the Untrust interface it is having address 213.213.1.2/24 (Default Gateway= 213.213.1.1). All the range is available for MIP or DIP. On the Trust interface the ip is 192.168.1.1/24. I have a server whose ip= 192.168.1.48, and I want to map it to 213.213.1.48, so that when this server access Internet (Traffic from Server/Trust to any/Untrust) it will use that address. Also I want any service request to 213.213.1.48 from any/Untrust be forwarded to the 192.168.1.48. On the Untrust interface I created new MIP (213.213.1.48) and Host= 192.168.1.48 mask=32. In policies I permit traffic from Server/Trust to any/Untrust. Also I add a second policy to permit any/Untrust towards MIP(213.213.1.48)/Trust any/service. When I use server to access the site www.whatismyip.com, I will get 213.213.1.48 means it works fine in this direction. But when I try to connect to the server using Remote Desktop (RDP) from another Internet connection (I try to connect to 213.213.1.48) nothing happens! I tried to ping also no success! While from my LAN PC (192.168.1.90) I can ping that server (192.168.1.48) and I can connect to it using RDP!! What could be wrong? Can it be a firmware issue?

    Many Thanks in advance for your support!

     



  • 2.  RE: Problem acheiving bidirectional translation with MIP!

    Posted 01-06-2009 07:20

    Hi,

     

    Is your MIP working for any other addresses?

     

    If not you could check you have the IP addresses the right way around.

     

    Regards

     

    Gavrilo



  • 3.  RE: Problem acheiving bidirectional translation with MIP!

    Posted 01-06-2009 10:07

    Hi,

     

    If all else fails, I would debug the traffic to see what the Firewalls is doing with it.  Try the following.  If you need help reading the "db str", post the results.  Good luck.

     

    1.  From Firewall:

    set ff dst-ip 213.213.1.48

    set ff dst-ip 192.168.1.48

    debug flow basic

    clear db

     

    2.  From Test PC:

    test from Untrust (e.g. try to RDP)

     

    3.  From Firewall:

    undebug all

    get db str

     

    4.  Review the stream.  You should see the traffic arrive, route look-up, policy check, and forwarded.

     

    -John

     

     



  • 4.  RE: Problem acheiving bidirectional translation with MIP!
    Best Answer

    Posted 01-07-2009 23:21

    Thank you All!

     

    I did as told, but nothing strange found in the captured data! I made a visit to the site, and I found that the customer is placing a Cyberoam Firewall in Transparent Bridging Mode, between the 192.168.1.x segment and the Juniper LAN. They are using the Cyberoam to control Bandwidth. The Cyberoam administrator added a rule to allow traffic inbound towards the server and now everything is working fine!

     

    Many Thanks for your support!

     

    Mohamed Abdulla