Hi Gokul,
Thanks again for your help. I feel as if I am almost there now but there is still one, hopefully small, problem! I had been setting up the loopback and the DIP in the GUI but once I started doing it via telnet I noticed that when I had tried to set up the loopback as a subnet I had not made sure it was in route mode and had left it in NAT mode. doh.
So now what I have is:
set interface "loopback.1" zone "Untrust"
set interface loopback.1 ip 8.9.10.222/29
set interface loopback.1 route
set interface loopback.1 dip 4 8.9.10.219 8.9.10.219
set interface "loopback.1" mip 8.9.10.217 host 192.168.1.1 netmask 255.255.255.255 vr "trust-vr" set policy id 62 from "Untrust" to "Trust" "ML_Subnets" "MIP(8.9.10.217)" "SMTP" permit
set policy id 62 exit set policy id 5 name "https" from "Trust" to "Untrust" "LocalSubnet" "Any" "HTTP" nat src dip-id 4 permit set policy id 5 set service "HTTPS"
exit
The mail route to the MIP seems to route fine (when I test it by allowing ICMP and pinging, although I havent tested that with routed mail from Messgaelabs yet).
But, the Src-Nat for browsing doesnt seem to be working. The debug is below. It looks as if there is some routing missing? Any ideas?
Thanks very much. Matt
Wireless Regulatory Domain: WORLD
****** 00762.0: <Trust/bgroup0> packet received [202]******
ipid = 22461(57bd), @03a61110
other ip packet handle.
packet dropped, Other ip pakcet
****** 00764.0: <Trust/bgroup0> packet received [211]******
ipid = 22464(57c0), @03976110
other ip packet handle.
packet dropped, Other ip pakcet
****** 00765.0: <Trust/bgroup0> packet received [541]******
ipid = 22466(57c2), @0397b110
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.1.238/4216->107.21.105.139/80,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.1.238->107.21.105.139) in vr trust-vr for vs
d-0/flag-0/ifp-null
cached route 7 for 107.21.105.139
[ Dest] 7.route 107.21.105.139->81.148.32.1, to ethernet0/0
routed (x_dst_ip 107.21.105.139) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 107.
21.105.139, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 5/6/0x1
Permitted by policy 5
dip alloc failed. dip_id = 0
packet dropped, dip alloc failed
****** 00765.0: <Trust/bgroup0> packet received [553]******
ipid = 22467(57c3), @0397b910
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.1.238/4213->107.21.105.139/80,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.1.238->107.21.105.139) in vr trust-vr for vs
d-0/flag-0/ifp-null
cached route 7 for 107.21.105.139
[ Dest] 7.route 107.21.105.139->81.148.32.1, to ethernet0/0
routed (x_dst_ip 107.21.105.139) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1