Screen OS

I've got an SSG5 on a BT Infinity FTTC circuit with a range of static IPs that has been working fine for an age.  This was how it was configured:

• IP range assigned to us by BT was , say, 8.9.10.217 to 8.9.10.221. network address: 8.9.10.216 router/Hub address: 8.9.10.222
• Interface 0/0 was configured with the first in the IP range 8.9.10.216
• MIP on interface 0/0  8.9.10.217 à 192.168.1.1
• Various VPNs (policy based and routed), remote SSG5’s and other firewalls using the static IP 8.9.10.216

Last night something must have changed on the BT side because the SSG5 lost connectivity to the world. BT think this is because the external interface 0/0 was configured with one of the static IP addresses that they allocated us when the FTTC circuit was installed. They say that it needs to be PPoE DHCP enabled and that once it is their infrastructure will automatically route our static range to whatever IP address the DHCP PPoE assigns our SSG5.

So I have changed the SSG5 external interface to 0/0 to be PPoE DHCP enabled the SSG5 connects to the internet OK. But I am having trouble configuring it to utilise the static IP range 8.9.10.216 to 8.9.10.220.

With PPoE DHCP enabled on external interface 0/0 how can I configure the SSG5 to do the following?:

• Get browsing from the LAN Natted behind one of the static IPs
• Get the VPNs backup on one of the static IPs  
• Get the MIP working again?

Thanks

UPDATE:

I ran a debug http://kb.juniper.net/InfoCenter/index?page=content&id=KB5536 abnd it helped me get the mail routing inbound again by doing this:

1. Create a loopback on e0/0 8.9.10.216/29

2. Create a route from the loopback to e0/0

3. Create a MIP on the loopback 8.9.10.217 --> 192.168.1.1

4. create a policy MIP to 192.168.1.1 on port 25

Still trying to get the 3 differnet VPNs backup again (one is a policy based site to site the other routed)

Still trying to get trust side browsing configured to NAT behind 8.9.10.219. It seems that it ought to be a case of creating a DIP on the loopback interface but when I try and do that I get a message that says ###invalid dip parameter

Any ideas?

Hi Matt,

Even if BT assigns a random IP to e0/0, it will be from 8.9.10.216 to 8.9.10.222 range, right?

For VPNs, since your public IP is bound to change, you cannot use IP as the VPN ID. You can consider:

1. Using a loopback interface with a fixed IP to termintae the VPNs on

2. Use dynamic DNS to get a hostname mapped to your subnet

3. re-configure the VPN to be an 'aggressive mode' VPN, where the SSG5 should always initiate the VPN

Thanks Gokul, you suggestion re the VPN is good, I have already managed to get them up using dyndns. I have also got email routing inbound using a MIP on an untrust loopback.

The only thing still to get working is the source NAT for browsing.  The successful PPPoE authentication results in a random IP allocation 8.9.x.y . They then dynamically route the packets to our static IP's to this address, hence the need for the loopbacks on the e0/0. The problem I am having now is that I want to source NAT all browsing behind one of the static IPs. I had thought that the way to do this was to create a DIP on the loopback interface and then edit my policy for browsing so that it was configured to use this DIP. The problem I am having is that it looks as if its not possible to create a DIP on a loopback. I have tried to configure the loopback and dip as follows:

set interface "loopback.1" zone "Untrust"

set interface loopback.1 ip 8.9.10.217/32

set interface loopback.1 route

set interface loopback.1 dip 5 8.9.10.217 8.9.10.217

###Invalid dip parameter

Failed command - set interface loopback.1 dip 5 8.9.10.217 8.9.10.217   

What am I doing wrong?

The following article seems to infer that it is actually not possible to create a dip on a loopback http://kb.juniper.net/InfoCenter/index?page=content&id=KB7034&actp=search&viewlocale=en_US&searchid=1325672564847 ?

In this scenario is there another way for me to Src-Nat browsing behind one of the static IPs? 

Matt,

This is a combination of 2 problems:

1. DIP cannot be same as interface IP

2.  You have a /32 IP for loopback, which means there is no IP for DIP in the subnet

I would say, you need to expand the loopback subnet and create a DIP with an IP from that subnet. You can then call this DIP in the internet policy, not sure if it would work though. Give it a try..

I do not think that the KB statement is still applicable, because I am able to create a DIP on llopback:

set interface "loopback.1" zone "Untrust"
set interface loopback.1 ip 100.0.0.1/24
set interface loopback.1 route
set interface loopback.1 dip 4 100.0.0.11 100.0.0.14

Hi Gokul,

Thanks again for your help. I feel as if I am almost there now but there is still one, hopefully small, problem! I had been setting up the loopback and the DIP in the GUI but once I started doing it via telnet I noticed that when I had tried to set up the loopback as a subnet I had not made sure it was in route mode and had left it in NAT mode. doh.

So now what I have is:

set interface "loopback.1" zone "Untrust"

set interface loopback.1 ip 8.9.10.222/29

set interface loopback.1 route

set interface loopback.1 dip 4 8.9.10.219 8.9.10.219

set interface "loopback.1" mip 8.9.10.217 host 192.168.1.1 netmask 255.255.255.255 vr "trust-vr" set policy id 62 from "Untrust" to "Trust"  "ML_Subnets" "MIP(8.9.10.217)" "SMTP" permit

set policy id 62 exit set policy id 5 name "https" from "Trust" to "Untrust"  "LocalSubnet" "Any" "HTTP" nat src dip-id 4 permit set policy id 5 set service "HTTPS"

exit

The mail route to the MIP seems to route fine (when I test it by allowing ICMP and pinging, although I havent tested that with routed mail from Messgaelabs yet).

But, the Src-Nat for browsing doesnt seem to be working. The debug is below. It looks as if there is some routing missing? Any ideas?

Thanks very much. Matt

Wireless Regulatory Domain: WORLD
****** 00762.0: <Trust/bgroup0> packet received [202]******
  ipid = 22461(57bd), @03a61110
  other ip packet handle.
  packet dropped, Other ip pakcet
****** 00764.0: <Trust/bgroup0> packet received [211]******
  ipid = 22464(57c0), @03976110
  other ip packet handle.
  packet dropped, Other ip pakcet
****** 00765.0: <Trust/bgroup0> packet received [541]******
  ipid = 22466(57c2), @0397b110
  packet passed sanity check.
  flow_decap_vector IPv4 process
  bgroup0:192.168.1.238/4216->107.21.105.139/80,6<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 192.168.1.238->107.21.105.139) in vr trust-vr for vs
d-0/flag-0/ifp-null
  cached route 7 for 107.21.105.139
  [ Dest] 7.route 107.21.105.139->81.148.32.1, to ethernet0/0
  routed (x_dst_ip 107.21.105.139) from bgroup0 (bgroup0 in 0) to ethernet0/0
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 107.
21.105.139, port 80, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 5/6/0x1
  Permitted by policy 5
  dip alloc failed. dip_id = 0
  packet dropped, dip alloc failed
****** 00765.0: <Trust/bgroup0> packet received [553]******
  ipid = 22467(57c3), @0397b910
  packet passed sanity check.
  flow_decap_vector IPv4 process
  bgroup0:192.168.1.238/4213->107.21.105.139/80,6<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 192.168.1.238->107.21.105.139) in vr trust-vr for vs
d-0/flag-0/ifp-null
  cached route 7 for 107.21.105.139
  [ Dest] 7.route 107.21.105.139->81.148.32.1, to ethernet0/0
  routed (x_dst_ip 107.21.105.139) from bgroup0 (bgroup0 in 0) to ethernet0/0
  policy search from zone 2-> zone 1

Sorry, I meant to add that in the line:

 [ Dest] 8.route 54.225.194.93->81.148.32.1, to ethernet0/0

the address 81.148.x.y is the next hope from the ISP's dynamically assigned PPPoE DHCP assigned address

The other thing is that the ISP have told me that the DG should be set to .222, hence the reason why I have set the subnet as .222/29 rather than .216/29

Could this be part of the problem?

Hi Matt,

I am not sure if the default gateway can cause an issue. As of now, the packet is not even leaving the firewall.

From what I see, the firewall is unable to use the DIP IP to translate the source using the DIP. This is because, DIP is on the loopback IF, while the exit IF is e0/0.

Try adding e0/0 to the loopack group.

From GUI --> Network > Interface > e0/0 > As a member of loopback group > loopback.1

If this does nto help, you may have to modify the default route to point to loopback.1 rather than e0/0

Hi Gokul

I am kicking myself. I had already tried making the e0/0 a member of the loopback group and I had ruled it out as having failed because making that change stopped my ping rule working. I tried it again after your suggestion and spent a bit more time testing and its working fine now, the failed ping rule just needed to have the DIP NAT applied to also work.

Thanks very mcuh for your help

Matt

Hi Matt,

That is good news.. glad to know that things are back online now 🙂

aghhhhh. I thought I was done and dusted but its seems that the NAT doesnt work all of the time. I am just sroting out another debug to see if it reveals what is causing the intermittent issue