Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

Very disappointed about dst-NAT in SSG5

  • 1.  Very disappointed about dst-NAT in SSG5

    Posted 08-22-2009 19:22
    Dears,
           I have a problem regarding to making a destination nat on SSG5-5.0.0r9.0 the scenario is like the following :-

    ADSL MODEM <--->  Netscreen 5XT <----> My internal Server 
    (Bridge Mode)        (PPPoe on Untrust)         (192.168.1.33)

    1 .) the ADSl modem is working as a bridge
    2 .) a PPPoe connection is terminated on the Untrust interface of the SSG5 with a real IP x.x.x.x
    3 .) My internal is obtaining a 192.168.1.33 from the DHCP server on the Trust interface of the SSG .

    all i want to do when a box from the internet is trying to connect with any service (PING,, HTTP .. etc ) to my real IP x.x.x.x the traffic redirected to the internal Server .

    I have trying the following recipe from http://kb.juniper.net/KB12631


    Server Public IP address is on a different network than the Firewall's Untrust Interface IP address

    set address trust server-a-pub  x.x.x.x/32
    set interface ethernet0/0 zone trust
    set route x.x.x.x/32 int untrust
    set route 192.168.1.33 int trust
    set policy from untrust to trust any server-a-pub ping nat dst ip 192.168.1.33 permit

    Iam trying to do that for around three days .. trying vip and dst nat to make that work With no hope  iam very disappointed about that ,, If there is any restrictions related to the box ,,  i believe that can be done be dst-Nat and i hope to make it  .So Kindly help me in this issue 

    Thanks in advance .
     


  • 2.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-22-2009 20:11

    Hi

    what is the  ip have been set  of your internat eth (trust) ? 

    i know some screen os don't support to use the same IP public  for NAT that have been set of untrust interface, what is the subnet of your public address X.X.X.X/? ? 

     

    could you try VIP configuration  like exampel trought likn :

    http://kb.juniper.net/index?page=content&id=KB4740&actp=search&searchid=1250996684663

     

    let us know 

    thanks 

     

     

     

     

     



  • 3.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-23-2009 07:28

    First of all i want to thank you for your replay ,, about the VIP configuration link it works for me and i was very happy for that ,, the Destination nat still not work with me, adbout your questions

     

    1 .)  what is the  ip have been set  of your internat eth (trust) ?

    >> I used the DHCP servre on the trust interface which gives 192.168.1.0/24 and my internal host obtain 192.168.1.33 

     

     

    2 .)  what is the subnet of your public address X.X.X.X/? ?

     >> 41.236.189.91 , I obtain it by the PPPoe connection from my  ISP which is terminated on the Untrust zone . 

     

    So pleas eif you have any idea how i can make the dst nat work i will be thankful . 

     

    Thanks again for your effort . 



  • 4.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-23-2009 10:49

    Hi ,


    Please try this way

     

    1) Create static ARP entries on upstream devices
    2) Enable hidden ScreenOS command 'set arp nat-dst'
    3) Create DIP pool on ingress interface

     

    for further explanation u can see this kb

    http://kb.juniper.net/index?page=content&id=KB10174&actp=search&searchid=1251049371323

     

    Please let me know the result

     

    Thanks

     

    EL

     

     



  • 5.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-23-2009 15:26

    Thanks EL

               For your info my design is like the following :-
     

                                                 "Any public host on the internet"

                                                                           |

                                                                           |

                                                                     Internet

                                                                           |

                                                                           |

                             SSG5 Untrust interface , PPPoe terminatied on it and obtain 41.236.189.91 
                                                                           |
                                                                           |
                             SSG5 Trust interface DHCP server on it and offers 192.168.1.0/24
                                                                           |
                                                                           |
                            My Internal Host 192.168.1.33 which the traffic should be redirected to

     

    I have tried the three methods you have mentioned and there is no traffic redirected to the internat host : 

     

    Here is The nat command I have applied

                                                          set policy id 7 from "Untrust" to "Trust"  "Any public IP from internet" "41.236.189.91/32

     

    I'm waiting for your reply ... 

     



  • 6.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 04:56

    Hi

     

    I think you should change the route from

    set route x.x.x.x/32 int untrust to set route x.x.x.x/32 int trust

     

     

    Thanks

     

    EL



  • 7.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 06:50

    Thanks EL ,,

               I tried to use the command: set route x.x.x.x/32 int trust with no hope .. So is there is any way to make this work ,, any way Thanks for your help



  • 8.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 07:32

    hi

     

    please execute debug flow basic with specific filter to know what cause dst NAT failed. if u mind also share the configuration 

     

     

    Thanks

     

    EL



  • 9.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 08:11

    about debug flow basic ,, there is no any debugging info appears on the screen ,, i also used  to make log target to the policy but it doesn't log any thing .

     

    HereUnder my firewall Configuration : 

     

    set clock timezone 0
    set vrouter trust-vr sharable
    unset vrouter "trust-vr" auto-route-export
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set admin name "root"
    set admin password "REMOVED FOR SECURITY ISSUES"
    set admin port 8080
    set admin auth timeout 0
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "MGT" block
    set zone "VLAN" block
    set zone "VLAN" tcp-rst
    unset zone "Untrust" screen tear-drop
    unset zone "Untrust" screen syn-flood
    unset zone "Untrust" screen ping-death
    unset zone "Untrust" screen ip-filter-src
    unset zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface "trust" zone "Trust"
    set interface "untrust" zone "Untrust"
    set interface "loopback.1" zone "Trust"
    set interface vlan1 ip 1.1.1.2/24
    set interface trust ip 192.168.1.1/24
    set interface trust nat
    set interface untrust ip 41.236.189.91/32
    set interface untrust route
    set interface loopback.1 ip 10.10.10.10/32
    set interface loopback.1 nat
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface loopback.1 ip manageable
    set interface untrust vip untrust
    set interface trust dhcp server service
    set interface trust dhcp server auto
    set interface trust dhcp server option gateway 192.168.1.1
    set interface trust dhcp server option netmask 255.255.255.0
    set interface trust dhcp server option dns1 4.2.2.2
    set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
    set flow tcp-mss 1392
    set flow all-tcp-mss 1304
    set hostname ns5xt
    set dns host dns1 4.2.2.2
    set dns host dns2 4.2.2.2

    set policy id 9 from "Untrust" to "Trust"  "Any" "41.236.189.91/32" "HTTP" nat dst ip 192.168.1.33 permit log
    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "DNS" nat src permit
    set policy id 1
    set service "HTTP"
    set service "HTTPS"
    set service "IKE"
    set service "SSH"
    exit
    set pppoe name "PPPOE1"
    set pppoe name "PPPOE1" username "REMOVED FOR SECURITY ISSUES" password "REMOVED FOR SECURITY ISSUES"
    set pppoe name "PPPOE1" interface untrust
    unset pppoe name "REMOVED FOR SECURITY ISSUES" update-dhcpserver
    set log module system level emergency destination console
    set log module system level alert destination console
    set log module system level critical destination console
    set log module system level error destination console
    set log module system level warning destination console
    set log module system level notification destination console
    set log module system level information destination console
    set log module system level debugging destination console
    set log module system level error destination webtrends
    set log module system level warning destination webtrends
    set log module system level information destination webtrends
    set log module system level debugging destination webtrends
    set ssh version v2
    set ssh enable
    set scp enable
    set config lock timeout 5
    set ntp server "0.0.0.0"
    set ntp server backup1 "0.0.0.0"
    set ntp server backup2 "0.0.0.0"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit

     

     



  • 10.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 08:32

    do u set static ip on untrust interface ? what is default gateway setting ? why u set vlan1 ip ? and why u use interface loopback.1?

     

     

     

     

    Thanks

     

    EL



  • 11.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-24-2009 09:11

    I have a static IP on the untrust zone i got it from the termination of PPPOE from my ISP and the ip is shown above:41.236.189.91

     

    I set the vlan1 and loopback.1 it was for practicing for my JNCIA certificate no more and i think it will not affect the nat configuration .

     

    Thanks 



  • 12.  RE: Very disappointed about dst-NAT in SSG5
    Best Answer

    Posted 08-25-2009 05:06

    Hi Firewall_00

     

    when i look your config more deeper, and doing research i think y can not use nat - dst with the same ip interface untrust. you can use VIP to replace current configuration

     

    you can look more detail to this KB

    http://kb.juniper.net/KB12608

     

    ----

    • Is the Server Public IP address the same IP Address as the Firewall's external/public interface? 
      If so, policy NAT-Dst cannot be used.   Instead, configure with a VIP.  Follow the 'Server Public IP Address is the same IP Address as the Firewall's Untrust interface IP address' below.

    ---

     

    Please let me know your thought

     

    Thanks

     

    EL

     



  • 13.  RE: Very disappointed about dst-NAT in SSG5

    Posted 08-25-2009 06:36

    Many thanks for keeping supporting me ,, Yes there is a restriction when the server public IP Address is the same IP Address as the Firewall's Untrust interface .. I have used VIP instead and it works fine ,, Thanks for you and for mehdi also ..