ScreenOS Firewalls (NOT SRX)
Reply
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Two ports... two networks... won't route

Ethernet0/0 -> Public Internet

Ethernet0/1 ->Unused DMZ

Ethernet0/2 -> bggroup0 (10.20.1.x)

Ethernet0/3-> bggroup0 (10.20.1.x)

Ethernet0/4->Internal address (10.18.76.x)

 

A computer plugged into bggroup0 can reach the internet but not 10.18.76.x

a computer plugged into 10.18.76.x can reach the router.

From the router I can ping the internet, 10.20.1.x and 10.18.76.x

 

10.20.1.x and 10.18.76.x are both in the "Trust"  zone.

 

 

Probelm: A computer on 10.20.1.x can not reach 10.18.76.x

 

 

 

 

 

My Config:

 

 

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service *REDACTED*
set service *REDACTED*
set service *REDACTED*
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name *REDACTED*
set admin password *REDACTED*
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/4" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
unset interface vlan1 ip
set interface ethernet0/0 ip *REDACTED*
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/4 ip 10.18.76.250/24
set interface ethernet0/4 nat
set interface bgroup0 ip 10.20.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway *REDACTED*
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/4 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage web
unset interface ethernet0/4 manage ping
unset interface ethernet0/4 manage ssh
unset interface ethernet0/4 manage snmp
unset interface ethernet0/4 manage ssl
set interface bgroup0 manage mtrace
set interface ethernet0/0 monitor track-ip weight 1
unset interface ethernet0/0 monitor track-ip dynamic
set interface ethernet0/0 vip *REDACTED*
set interface ethernet0/0 vip *REDACTED*
set interface ethernet0/0 vip *REDACTED*
set interface ethernet0/0 vip *REDACTED*
set interface ethernet0/0 vip *REDACTED*
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option dns1 208.67.222.222 
set interface bgroup0 dhcp server option dns2 208.67.220.220 
set interface bgroup0 dhcp server ip 10.20.1.50 to 10.20.1.200 
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface ethernet0/0
set dns host dns2 208.67.220.220 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set address "Trust" "10.20.1.26/32" 10.20.1.26 255.255.255.255
set group service *REDACTED*
set group service *REDACTED*
set group service *REDACTED*
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(*REDACTED*)" "ANY" permit 
set policy id 2
exit
set policy id 3 from "Trust" to "Trust"  "Any" "Any" "ANY" permit 
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

 

 

 

 

 

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Two ports... two networks... won't route

Hi,

 

Typically I come across two issues with this.  Intrazone Blocking or a missing policy.  I don't see intrazone blocking enabled for trust, so that's good.  And I do see a policy for trust to trust.  That would indicate a possible NAT or Routing issue.  I would recommend a debug

 

set ff src-ip 10.20.1.x dst ip 10.18.76.x ip-proto 1

debug flow basic

clear db

<ping from 10.20.1.x to 10.18.76.x>

undebug all

get db str

 

If needed, flip the flow filter and run it again.  Feel free to share the results.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Distinguished Expert
spuluka
Posts: 2,517
Registered: ‎03-30-2009
0

Re: Two ports... two networks... won't route

I think you issue might be with the interface nat configuration.  Try putting both of the interfaces into route mode then add nat to your internet access policy instead.

 

 

set interface ethernet0/1 nat
set interface ethernet0/4 nat

 

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit nat src
set policy id 1
exit

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

hello John!

 

Thanks for the pointer. I am back to this problem now.

 

ssg20-> set ff src-ip 10.20.1.51 dst ip 10.18.76.10 ip-proto 1
$$Ambiguous command!!

 

I can't get far in the process.

 

 

Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

Steve,

 

 

ssg20-> set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit nat src
                                                                                                                     ^------unknown keyword nat
Thanks!

Distinguished Expert
spuluka
Posts: 2,517
Registered: ‎03-30-2009
0

Re: Two ports... two networks... won't route

[ Edited ]

Sorry about that had the command out of order.

 

 

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit

and these should change from nat to route

 

set interface ethernet0/1 route
set interface ethernet0/4 route

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Two ports... two networks... won't route

I believe your missing the "-" in dst-ip.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

Hey John!

 

the results are listed below:

 

 

****** 1689162.0: <Trust/bgroup0> packet received [60]******
  ipid = 9301(2455), @02c70a30
  packet passed sanity check.
  bgroup0:10.20.1.51/12->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/fl                                                     ag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1                                                     8.76.10, port 19791, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:3825) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  wait for arp rsp for 10.18.76.10
  nsp2 wing prepared, not ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51

 and the other direction....

 

 

****** 1689390.0: <Trust/bgroup0> packet received [60]******
  ipid = 10226(27f2), @02cfda30
  packet passed sanity check.
  bgroup0:10.20.1.51/19->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.18.76.10, port 19784, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:4029) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  arp entry found for 10.18.76.10
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51
  flow got session.
  flow session id 4029
  post addr xlation: 10.20.1.51->10.18.76.10.
 flow_send_vector_, vid = 0, is_layer2_if=0

 

 

 

This is after making the changes suggested to the nat rules.

 

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Two ports... two networks... won't route

[ Edited ]

Looks like you're missing a few lines at the end of those debug traces.

 

You should see lines that say "packet sent to <mac address> through ethernet x/x" for example.

 

Unset your flow filters first to make sure everything is cleared out, just issue "unset ff" repeatedly until it reports back "invalid id."

 

You could try adjusting your debug / flow filter setup to something like this to make the db size larger:

 

 

set ff src-ip 10.20.1.x dst-ip 10.18.76.x ip-proto 1
set db size 4096
clear db
debug flow basic

<ping from 10.20.1.x to 10.18.76.x>

undebug all
get db str

 

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Hal
Visitor
Hal
Posts: 7
Registered: ‎04-27-2011
0

Re: Two ports... two networks... won't route

I don't see anything like that... here's another db trace

 

 

ssg20-> get db str
****** 1713312.0: <Trust/bgroup0> packet received [60]******
  ipid = 18293(4775), @02c3ea30
  packet passed sanity check.
  bgroup0:10.20.1.51/67->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.18.76.10, port 19736, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:3974) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  wait for arp rsp for 10.18.76.10
  nsp2 wing prepared, not ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51
****** 1713316.0: <Trust/bgroup0> packet received [60]******
  ipid = 18308(4784), @02c6aa30
  packet passed sanity check.
  bgroup0:10.20.1.51/68->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.18.76.10, port 19735, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:3957) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  arp entry found for 10.18.76.10
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51
  flow got session.
  flow session id 3957
  post addr xlation: 10.20.1.51->10.18.76.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1713321.0: <Trust/bgroup0> packet received [60]******
  ipid = 18330(479a), @02c42230
  packet passed sanity check.
  bgroup0:10.20.1.51/69->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.18.76.10, port 19734, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:3927) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  arp entry found for 10.18.76.10
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51
  flow got session.
  flow session id 3927
  post addr xlation: 10.20.1.51->10.18.76.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
  existing vector list 0-2f4ce80.
****** 1713326.0: <Trust/bgroup0> packet received [60]******
  ipid = 18343(47a7), @02cde230
  packet passed sanity check.
  bgroup0:10.20.1.51/70->10.18.76.10/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 10.20.1.51->10.18.76.10) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 2294.route 10.18.76.10->10.18.76.10, to ethernet0/4
  routed (x_dst_ip 10.18.76.10) from bgroup0 (bgroup0 in 0) to ethernet0/4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.18.76.10, port 19733, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 3
  No src xlate   choose interface ethernet0/4 as outgoing phy if
  no loop on ifp ethernet0/4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/4>
  existing vector list 1-4250820.
  Session (id:3941) created for first pak 1
  flow_first_install_session======>
  route to 10.18.76.10
  arp entry found for 10.18.76.10
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/4, 10.18.76.10->10.20.1.51) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 5.route 10.20.1.51->10.20.1.51, to bgroup0
  route to 10.20.1.51
  flow got session.
  flow session id 3941
  post addr xlation: 10.20.1.51->10.18.76.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
ssg20->

 

Also attached as a .txt  if that's easier for you.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.