Greetings Everyone,
I've set up a new VR to isolate my VoIP network from my Data network as much as possible. I've created the VoIP-WAN (eth0/1) and VoIP-LAN (eth0/3) zones and added them to the VoIP-VR. On the Trust-VR I have the Trust (bgroup0/0) and Untrust (eth0/0) zones. The VoIP-WAN and Untrust zones each have a seperate internet connection.
Everything is working as intended with this setup for outbound, but not inbound connections. Specifically, if I try to create VIPs for VoIP-WAN (eth0/1), the traffic will come in eth0/0, will be allowed based on the policy I have created, but return traffic is routed out Untrust (eth0/0):
1.1.1.1 = Remote IP
2.2.2.2 = VoIP-WAN interface
3.3.3.3 = Untrust interface
2.2.2.254 = VoIP-WAN next hop gateway
3.3.3.254 = Untrust next hop gateway
10.0.91.0/24 = VoIP-LAN subnet
****** 436776.0: <VoIP-WAN/ethernet0/1> packet received [52]******
ipid = 30315(766b), @03916418
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/1:1.1.1.1/56531->2.2.2.2/10000,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/1>, out <N/A>
self check, not for us
chose interface ethernet0/1 as incoming nat if.
flow_first_routing: in <ethernet0/1>, out <N/A>
search route to (ethernet0/1, 1.1.1.1->10.0.91.9) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 7 for 10.0.91.9
[ Dest] 7.route 10.0.91.9->3.3.3.254, to ethernet0/0
routed (x_dst_ip 10.0.91.9) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/0
policy search from zone 100-> zone 1
policy_flow_search policy search nat_crt from zone 100-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 2.2.2.2, port 10000, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 12/12/0x9
Permitted by policy 12
dip id = 2, 1.1.1.1/56531->3.3.3.3/1028
choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/1>, out <ethernet0/0>
existing vector list 103-42657fc.
Session (id:7881) created for first pak 103
flow_first_install_session======>
route to 3.3.3.254
bypass L2 prepare if, nsp ready.
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10002800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 10.0.91.9->1.1.1.1) in vr VoIP-VR for vsd-0/flag-3000/ifp-ethernet0/1
cached route 7 for 1.1.1.1
[ Dest] 7.route 1.1.1.1->2.2.2.254, to ethernet0/1
route to 2.2.2.254
bypass L2 prepare if, nsp ready.
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00002801, tunnel ffffffff, rc 1
flow got session.
flow session id 7881
flow_main_body_vector in ifp ethernet0/1 out ifp ethernet0/0
flow vector index 0x103, vector addr 0x42657fc, orig vector 0x42657fc
adjust tcp mss.
tcp seq check.
Got syn, 1.1.1.1(56531)->2.2.2.2(10000), nspflag 0x3801, 0x10002800
post addr xlation: 3.3.3.3->10.0.91.9.
send out through normal path.
flow_ip_send: 766b:3.3.3.3->10.0.91.9,6 => ethernet0/0(52) flag 0x0, vlan 0
packet send out to 2ce412826963 through ethernet0/0
So I know enough to figure out what is causing the problem, but not enough to fix it. Any suggestions would be greatly appreciated.
Thanks,
semose