ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
xyz101
Posts: 8
Registered: ‎04-05-2011
0

Users unable to get on the internet after NSRP cluster failover

Dear All,

I would appreciate any pointer on this as a non-security person working on juniper for the first time, it sometimes get confusing.

 

I have 2 NS5GT's connected to two different ISP's configured to failover when the primary link goes down. The failover works fine but the problem is that internal users can't access the internet when cluster fails over to the backup device.

The excerpt of the configuration on the backup firewall is posted below.

The same policies are present on both firewalls. The first two DNS servers are for the first ISP while the third is for the second ISP.

 

 

set DNS host dns1 194.41.34.24
set dns host dns2 194.41.49.69
set DNS host dns3 84.194.255.154

set address "Trust" "172.16.15.0/24" 172.16.15.0 255.255.255.0

set address "Untrust" "194.41.39.151/32" 194.41.39.151 255.255.255.255
set address "Untrust" "84.241.74.32/32" 84.241.74.32 255.255.255.255

 

 

set policy id 4 from "Trust" to "Untrust"  "172.16.15.0/24" "Any" "Netbios" deny log
set policy id 4
exit
set policy id 1 from "Trust" to "Untrust"  "172.16.15.0/24" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" deny log
set policy id 2
exit
set policy id 5 from "Untrust" to "Trust"  "194.41.39.151/32" "MIP(194.41.39.153)" "ANY" permit log
set policy id 5
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 3

set policy id 6 from "Untrust" to "Trust"  "Any" "MIP(84.241.74.32)" "ANY" permit log
set policy id 6

 

 

set route 0.0.0.0/0 interface ethernet0/0 gateway 194.41.39.151
set route 0.0.0.0/0 interface ethernet0/2 gateway 84.241.74.32 metric 5

 

 

I have been told it could be a problem with the DNS that I need to set up DNS proxy, if this is so, how is this done?

I have also been made to understand that the policy 6 is not necessary for the second firewall as IP address provided by ISP is not enough to use MIP (only 2 available addresses but 3 are required for MIP i.e.. ADSL router, eth0/2 untrust and MIP )  Will simple NAT provide a workaround this? If so, how.

 

Regards

Recognized Expert
Sahota
Posts: 484
Registered: ‎03-15-2012
0

Re: Users unable to get on the internet after NSRP cluster failover

Hi,

 

Have you been able to check if the firewall is able to reach internet after failover.

log into CLI and try to ping an IP address on internet (4.2.2.2)

The try to source the ping from trust interface :

ping ip from trust-interface

 

If this works check if LAN user can ping firewall trust ip, then try pinging internet gateway and then ping an address on internet.

Once you complete the tests, it can give more clues.

 

Thanks.

Hardeep

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Users unable to get on the internet after NSRP cluster failover

Hi,

 

You have an IP conflict. The second MIP has the same IP as the gateway (84.241.74.32).

If you have no free IPs you can configure a MIP-Same-as-Untrust. Read more on this in Concepts and examples, vol. Address Translation. I would recommend to use the VIP-Same-as-Untrust but this will be a problem if service Any is used in the policy.

The policies opening all (!) ports inbound are very confusing me. On the other hand, both policies with MIPs make no sense. The policy 5 opens an unrestricted access from ADSL router IP 194.41.39.151 only. I have no idea what is the reason to have such a policy. The policy 6 cannot be hit due to the IP conflict.

Kind regards,
Edouard
Regular Visitor
xyz101
Posts: 8
Registered: ‎04-05-2011
0

Re: Users unable to get on the internet after NSRP cluster failover

Many Thanks Edouard,

The documentation you refered me to was very helpful indeed.

I wont be availble till next week but will try this out and come back to you as regards the results.

I am most grateful

Regards

Regular Visitor
xyz101
Posts: 8
Registered: ‎04-05-2011
0

Re: Users unable to get on the internet after NSRP cluster failover

Dear Hardeep,

Many thanks for your helpful pointers.

I will check all  this, will be away for some time but will let update you as soon as I do.

Regards

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.