ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Mohamed-Abdulla
Posts: 2
Registered: ‎01-06-2009
0
Accepted Solution

Problem acheiving bidirectional translation with MIP!

Hello Forum!

Excuse me if my question is a repeat, but the matter is that I have been following instructions from similar topics from this forum, but no success yet!

I have SSG-350M (6.0.0.r4). On the Untrust interface it is having address 213.213.1.2/24 (Default Gateway= 213.213.1.1). All the range is available for MIP or DIP. On the Trust interface the ip is 192.168.1.1/24. I have a server whose ip= 192.168.1.48, and I want to map it to 213.213.1.48, so that when this server access Internet (Traffic from Server/Trust to any/Untrust) it will use that address. Also I want any service request to 213.213.1.48 from any/Untrust be forwarded to the 192.168.1.48. On the Untrust interface I created new MIP (213.213.1.48) and Host= 192.168.1.48 mask=32. In policies I permit traffic from Server/Trust to any/Untrust. Also I add a second policy to permit any/Untrust towards MIP(213.213.1.48)/Trust any/service. When I use server to access the site www.whatismyip.com, I will get 213.213.1.48 means it works fine in this direction. But when I try to connect to the server using Remote Desktop (RDP) from another Internet connection (I try to connect to 213.213.1.48) nothing happens! I tried to ping also no success! While from my LAN PC (192.168.1.90) I can ping that server (192.168.1.48) and I can connect to it using RDP!! What could be wrong? Can it be a firmware issue?

Many Thanks in advance for your support!

 

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: Problem acheiving bidirectional translation with MIP!

Hi,

 

Is your MIP working for any other addresses?

 

If not you could check you have the IP addresses the right way around.

 

Regards

 

Gavrilo

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Problem acheiving bidirectional translation with MIP!

Hi,

 

If all else fails, I would debug the traffic to see what the Firewalls is doing with it.  Try the following.  If you need help reading the "db str", post the results.  Good luck.

 

1.  From Firewall:

set ff dst-ip 213.213.1.48

set ff dst-ip 192.168.1.48

debug flow basic

clear db

 

2.  From Test PC:

test from Untrust (e.g. try to RDP)

 

3.  From Firewall:

undebug all

get db str

 

4.  Review the stream.  You should see the traffic arrive, route look-up, policy check, and forwarded.

 

-John

 

 

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
Mohamed-Abdulla
Posts: 2
Registered: ‎01-06-2009
0

Re: Problem acheiving bidirectional translation with MIP!

Thank you All!

 

I did as told, but nothing strange found in the captured data! I made a visit to the site, and I found that the customer is placing a Cyberoam Firewall in Transparent Bridging Mode, between the 192.168.1.x segment and the Juniper LAN. They are using the Cyberoam to control Bandwidth. The Cyberoam administrator added a rule to allow traffic inbound towards the server and now everything is working fine!

 

Many Thanks for your support!

 

Mohamed Abdulla

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.