Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Problem connecting to Public / NAT address from Inside (Trust) zone - help please?

    Posted 06-19-2013 05:31

    I have a web server in my DMZ zone, which has a public and private address. (public say 1.1.1.1 and private 172.16.0.10)

    I would like to be able to connect to the PUBLIC address from the outside (Untrust and Trusted-Ext) and also the inside (Trust).

    Problem:
    --------
    My current configuration allows me to telnet to port 80 from the outside (Untrust and Trusted-Ext) but not from the inside (Trust):
    From         int.  Public  Private
    ----         ----  ------  -------
    Untrust      3/1   yes     no
    Trusted-Ext  3/2   yes     no
    Trust        3/4   no      yes     <==== would like to be able to connect to public address

    My zones / interfaces:
    set interface "ethernet3/1" zone "Untrust"
    set interface "ethernet3/2" zone "Trusted-Ext"
    set interface "ethernet3/3" zone "DMZ"
    set interface "ethernet3/4" zone "Trust"

    My policies:
    set policy id 179 from "Untrust" to "DMZ"  "Any" "EXT-Test web server" "Any" nat dst ip 172.16.0.10 permit log
    set policy id 181 from "Trusted-Ext" to "DMZ"  "Any" "EXT-Test web server" "ANY" nat dst ip 172.16.0.10 permit log
    set policy id 178 from "Trust" to "DMZ"  "Any" "EXT-Test web server" "ANY" nat dst ip 172.16.0.10 permit log
    (policies 179 and 181 work but 178 does not)

    Is there anything that I have overlooked?  I'd appreciate any help.
    Thanks in advance



  • 2.  RE: Problem connecting to Public / NAT address from Inside (Trust) zone - help please?

    Posted 06-19-2013 14:34

    When using nat dst you need to set a a /32 route for the public address to the outgoing interface, or add the public address as a secondary address on the outgoing (DMZ) interface. I prefer the route so something like: set route 1.1.1.1/32 interface ethernet3/3. Right now the device "thinks" the traffic needs to routed to outside. With the route you force it to dmz, so the correct policy will be hit.

     



  • 3.  RE: Problem connecting to Public / NAT address from Inside (Trust) zone - help please?

    Posted 06-20-2013 02:25

    Thanks Screenie.

     

    I tried adding the route and turned on the debug facility.  It does seem as though it is being routed but not hitting any policy.  It reaches the default global policy 320000 (deny).  I can't figure out why the policy is not being hit.

     

    Netscreen(M)-> debug flow basic

    Netscreen(M)-> set ffilter dst-ip 1.1.1.1
    filter added
    Netscreen(M)-> clear db

     

    ( I then telnetted from another PuTTY session:  telnet 1.1.1.1 port 80 src-interface e3/4 )


    Netscreen(M)-> get db str
    ****** 42530253.0: <Trust/ethernet3/4> packet received [44]******
      ipid = 18680(48f8), @0c99d214
      self:172.23.64.92/28400->1.1.1.1/80,6<Root>
      flow_decap_vector IPv4 process
      ethernet3/4:172.23.64.92/28400->1.1.1.1/80,6<Root>
      no session found
      flow_first_sanity_check: in <ethernet3/4>, out <ethernet3/3>
      chose interface ethernet3/4 as incoming nat if.
      flow_first_routing: in <ethernet3/4>, out <ethernet3/3>
      search route to (ethernet3/4, 172.23.64.92->172.16.0.10) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 6.route 172.16.0.10->172.16.0.10, to ethernet3/3
      routed (x_dst_ip 172.16.0.10) from ethernet3/4 (ethernet3/4 in 0) to ethernet3/3
      policy search from zone 2-> zone 3
     policy_flow_search  policy search nat_crt from zone 2-> zone 10
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.1, port 80, proto 6)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
      Searching global policy.
    swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
    policy id (320000)
    packet dropped, denied by policy
    Policy id deny policy, ipv6 0, flow_potential_violation 0



  • 4.  RE: Problem connecting to Public / NAT address from Inside (Trust) zone - help please?

    Posted 06-20-2013 02:28

    ... and further to above the routing table looks okay:

     

    Netscreen (M)-> get route | incl 1.1.1.1
    *      7285  1.1.1.1/32         eth3/3         0.0.0.0   S   20      1     Root
    Netscreen (M)->



  • 5.  RE: Problem connecting to Public / NAT address from Inside (Trust) zone - help please?
    Best Answer

    Posted 06-20-2013 02:59

    OKAY - I think I have it.  It is not ideal since it requires a MIP but here it is plus the debug:

     


    set interface "ethernet3/4" mip 1.1.1.1 host 172.16.0.10 netmask 255.255.255.255 vr "trust-vr"
    set policy id 188 from Trust to DMZ any MIP(1.1.1.1) Any permit log

    Netscreen(M)-> undebug all
    Netscreen(M)-> set ffilter dst-ip 1.1.1.1
    filter added
    Netscreen(M)-> get ffilter
    Flow filter based on:
    id:0 dst ip 1.1.1.1
    Netscreen(M)-> clear db
    Netscreen(M)-> debug flow basic
    Netscreen(M)-> get db str
    Netscreen(M)-> get db str
    ****** 42532292.0: <Trust/ethernet3/4> packet received [44]******
      ipid = 20850(5172), @0c99e194
      self:172.23.64.92/35315->1.1.1.1/80,6<Root>
      flow_decap_vector IPv4 process
      ethernet3/4:172.23.64.92/35315->1.1.1.1/80,6<Root>
      no session found
      flow_first_sanity_check: in <ethernet3/4>, out <ethernet3/3>
      chose interface ethernet3/4 as incoming nat if.
      flow_first_routing: in <ethernet3/4>, out <ethernet3/3>
      search route to (ethernet3/4, 172.23.64.92->172.16.0.10) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 6.route 172.16.0.10->172.16.0.10, to ethernet3/3
      routed (x_dst_ip 172.16.0.10) from ethernet3/4 (ethernet3/4 in 0) to ethernet3/3
      policy search from zone 2-> zone 3
     policy_flow_search  policy search nat_crt from zone 2-> zone 10
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.1.1.1, port 80, proto 6)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 188/144/0x9
      Permitted by policy 188
      dip id = 2, 172.23.64.92/35315->172.23.191.254/57476
      choose interface ethernet3/3 as outgoing phy if
      check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet3/3
      no loop on ifp ethernet3/3.
      session application type 6, name HTTP, nas_id 0, timeout 1800sec
      service lookup identified service 0.
      flow_first_final_check: in <ethernet3/4>, out <ethernet3/3>
      existing vector list 123-4a531b4.
      Session (id:523112) created for first pak 123
      flow_first_install_session======>
      route to 172.16.0.10
      arp entry found for 172.16.0.10
      ifp2 ethernet3/3, out_ifp ethernet3/3, flag 10800e00, tunnel ffffffff, rc 1
      outgoing wing prepared, ready
    Success installing work and forward sessions
      flow got session.
      flow session id 523112
      flow_main_body_vector in ifp ethernet3/4 out ifp ethernet3/3
      flow vector index 0x123, vector addr 0x4a531b4, orig vector 0x4a531b4
      vsd 0 is active
      Got syn, 172.23.64.92(35315)->1.1.1.1(80), nspflag 0x2003811, 0x10800e00
      post addr xlation: 172.23.191.254->172.16.0.10.
      packet send out to 0050568701f0 through ethernet3/3
    ****** 42532292.0: <Trust/ethernet3/4> packet received [40]******
      ipid = 20852(5174), @0c99d214
      self:172.23.64.92/35315->1.1.1.1/80,6<Root>
      flow_decap_vector IPv4 process
      ethernet3/4:172.23.64.92/35315->1.1.1.1/80,6<Root>
      existing session found. sess token 3
      flow got session.
      flow session id 523112
      flow_main_body_vector in ifp ethernet3/4 out ifp ethernet3/3
      flow vector index 0x123, vector addr 0x4a531b4, orig vector 0x4a531b4
      vsd 0 is active
      Got ack, 172.23.64.92(35315)->1.1.1.1(80), natpflag 0x0, nspflag 0x2003811, 0x10801e00, timeout=900
      post addr xlation: 172.23.191.254->172.16.0.10.
      packet send out to 0050568701f0 through ethernet3/3
    Netscreen(M)->

    Thanks for the help - much appreciated.