Screen OS

Hello everyone,

I have a problem using a VIP on a sub-IF.

I have a Cable connection in zone "Untrust" on "Trust-VR". 0.0.0.0 goes through this.

The situation is that I have a DSL connection on "ethernet0/4" assigned to zone "VDSL" and placed in virtual router "Untrust-VR". This connections works fine, we use if for VPN tunnels, routing to the "Trust" Network (placed in "Trust-VR") is configured statically in the routing table for "Untrust-VR".

My host has assigned me an IP-PACK (/29 network range) that is routed to my DSL connection IP.

I want to use VIP's on this IP PACK. I can't configure a VIP on an IP that is not in the range of the interface. Even when I configure a secondary IP in the IP-PACK range. However I can configure a MIP, and when I test this the MIP works fine!

When I create a sub-IF "ethernet0/4.1" and give it an IP of the range and then configure a MIP, the MIP works fine! If I configure a VIP, it does not error on me, but the VIP doesn't work even though there are policies in place.

BTW: The MIP and the VIP destination is an IP in the "Trust" zone assigned to the "Trust-VR". Policies are created from "VDSL" to "GLOBAL" with destination MIP(xxxxx) or VIP(xxxxx). Logging of the MIP policy shows successful connections, logging of the VIP policy stays empty.

Could someone explain to me why a MIP works but a VIP doesn't?

I think it must have something to do with routing that is different  for MIP and VIP and the fact that I have 2 Virtual Routers in use. The destination belongs to the "Trust" zone in "Trust-VR" and the source is an (sub)interface in the "VDSL" zone in "Untrust-VR"

Thanks

Stan

After some testing and debugging i come to the following conclusion.

It doesn't work, is it because of the cross virtual router, or perhaps because of the sub-interface. No idea.

In my debugging i would see traffic coming in, and the debugging showed the netscreen looking for a policy from ethernet0/4 to ethernet0/4.1, so this means from "VDSL" to "VDSL".

In the WebUI i created a policy from "VDSL" to "VDSL" "ANY" and in the logging it would see the traffic.

But the traffic wasn't getting translated:

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received

I then changed the policy to nat dst-ip 192.168.z.z and that would work! But this isn't the way i want it.

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received

So i will have to use MIP'S i guess.

Hi!

A VIP cannot be in a subnet different from the interface IP subnet. The trick with a subinterface would not work unless your ISP creates a subinterface on the CPE device and configure the link to the FW as a trunk. I very doubt that any ISP would do it.

1. You can use policy based dst-NAT and forward traffic to the multiple destination IPs absolutelly the same way as the VIP does it (based on the port number).

2. You can use MIPs if sufficient public IPs are available.

3. You can configure a loopback interface in the "VDSL" zone and use the IP-Pack for it's addressing, MIPs and VIPs. Do not forget to add eth0/4 to the loopback interface group. This is required for the src-NAT on the outgoing connections if you need to NAT them to the IP's from the IP-Pack.

I tried the loopback interface and it works excellent!

Thank you very much.