Screen OS

Hi All,

Its been while since I last posted (which is a good thing) but now I have come upon an interesting problem. For many years I have done PBR to redirect http traffic to squiid proxy servers. The last step on the proxy has always been to translate port 80 to port 8080 for squid.

I now have new servers in place that have complicated messing with IP tables to do this kind of redirection. Searching the internet I find this https://kb.juniper.net/InfoCenter/index?page=content&id=KB24139&cat=FIREWALL_IPSEC_VPN&actp=LIST&smlogin=true

Instruction on how to use Destination Translation or NAT DST in a policy to handle the redirection of traffic to the right IP and port. 

It does not work 😞 So now I come to you with hopes of finding the best way to trouble shoot the issue. I did a debug flow but can not see (or do not understand) what the problem is. If you can spot my error I would greatly appreciate it. See debug log below.

If I have missed anything or if more information is needed just let me know.

~~~

Remote Management Console
login: it-management
password:
MIL0803-Westbroward-> unset policy 21
MIL0803-Westbroward-> set ff src-ip 10.8.2.15 dst-ip 74.125.229.208
filter added
MIL0803-Westbroward-> debug flow basic
MIL0803-Westbroward-> debug flow drop
MIL0803-Westbroward-> clear db
MIL0803-Westbroward-> undebug all
MIL0803-Westbroward-> get db str
MIL0803-Westbroward->
MIL0803-Westbroward->
MIL0803-Westbroward-> debug flow basic
MIL0803-Westbroward-> undebug all
MIL0803-Westbroward->
MIL0803-Westbroward-> get db str
****** 184824.0: <Trust/ethernet1> packet received [48]******
ipid = 16946(4232), @c7d02910
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 10.8.2.15->74.125.229.208) in vr trust-vr for vsd-
0/flag-0/ifp-null
PBR lookup params: dst-ip: 74.125.229.208, src-ip: 10.8.2.15, dst-port: 80, src-
port: 1440, protocol: 6, dscp: 0
[PBR route] 1.route 74.125.229.208->10.8.2.10, to ethernet1
routed (x_dst_ip 74.125.229.208) from ethernet1 (ethernet1 in 0) to ethernet1
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.1
25.229.208, port 80, proto 6)
No SW RPC rule match, search HW rule
Permitted by policy 28
DST xlate: 74.125.229.208(80) to 10.8.2.10(8080)
search route to (ethernet1, 10.8.2.15->10.8.2.10) in vr trust-vr for vsd-0/fla
g-0/ifp-null
PBR lookup params: dst-ip: 10.8.2.10, src-ip: 10.8.2.15, dst-port: 8080, src-por
t: 1440, protocol: 6, dscp: 0
PBR: no route to (10.8.2.10) in vr trust-vr
[ Dest] 1.route 10.8.2.10->10.8.2.10, to ethernet1
routed (10.8.2.10) from ethernet1 (ethernet1 in 0) to ethernet1
No src xlate choose interface ethernet1 as outgoing phy if
no loop on ifp ethernet1.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1>, out <ethernet1>
existing vector list 103-40630f0.
Session (id:31672) created for first pak 103
flow_first_install_session======>
route to 10.8.2.10
arp entry found for 10.8.2.10
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (ethernet1, 10.8.2.10->10.8.2.15) in vr trust-vr for vsd-0/fla
g-3000/ifp-ethernet1
PBR lookup params: dst-ip: 10.8.2.15, src-ip: 10.8.2.10, dst-port: 1440, src-por
t: 8080, protocol: 6, dscp: 0
PBR: no route to (10.8.2.15) in vr trust-vr
[ Dest] 1.route 10.8.2.15->10.8.2.15, to ethernet1
route to 10.8.2.15
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
****** 184827.0: <Trust/ethernet1> packet received [48]******
ipid = 17487(444f), @c7d17910
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
existing session found. sess token 4
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
****** 184833.0: <Trust/ethernet1> packet received [48]******
ipid = 18589(489d), @c7d0b110
packet passed sanity check.
ethernet1:10.8.2.15/1440->74.125.229.208/80,6<Root>
existing session found. sess token 4
flow got session.
flow session id 31672
adjust tcp mss.
tcp seq check.
Got syn, 10.8.2.15(1440)->74.125.229.208(80), nspflag 0x801801, 0x800800
flow_send_vector_, vid = 0, is_layer2_if=0
packet send out to 00219b4051b6 through ethernet1
MIL0803-Westbroward->

Hi Sanga,

From the debugs it seems that we are not getting the reply packet back on firewall.

From my understanding, it is U-turn of traffic which is taking place on eth1/1 interface and because both source and destination are on on same network 10.8.2.x, so reply packet is not getting through the firewall and directly reaching the source machine.

One thing, I can think of that you can try doing source NAT on firewall as well so that reply gets back to firewall.

Hope it helps!

BR,

Swati

WOOHOO!!

set policy id 28 from "Trust" to "Trust" "Any" "Any" "ANY" nat src dst ip 10.8.2.10 port 8080 permit log

You made made me look like a genius. Thanks you very much for getting me over the hump!

Not sure if I should make a new topic. But i just thought of a side effect of this process that may be an issue. 

If i do Src nat and DST nat the proxy logs all internet traffic as coming from the juniper device IP of 10.8.2.1 instead of the IP address of the workstation that was surfing porn or facebook during work hours. Is there a way to work this out so that the 'true' source IP address is shown?

If not I am sure I can find rough work arounds by modifying proxy settings in the browsers of computers that I need to track and just letting everyone else surf via PBR + src/dst NAT

Thanks again

Hi Sanga, 

Glad to know that source NAT made it work!!

For your setup, I can't think of any other solution for this problem on frewall. Not sure if you can tweak your setup/settings at network or proxy level to have traffic reflected with real IP address.

BR,

Swati

Looks like I may have to use iptables to redirect port 80. The juniper is reporting all traffic as the juniper IP address before it even makes it to the proxy. I was hoping to avoid messing with IPtables to keep things simple, but alas life doesnt always work that way.

For this specific situation I need to log source IP addresses of rouge traffic. For others where the filter is needed but logs are not, I will use the src/dst NAT feature in the policy.

Thanks again!