Routing
Highlighted
Routing

Routing Problem SSG 140 6.3.0r16.0

‎01-20-2014 04:05 AM

Hi I have 2 SSG 140.

The first device runs correctly. Firmware 6.2.0r5.0
eth0/0 Mode:NAT Trust 192.168.1.1
eth0/1 Mode:NAT DMZ IP-Net.1/24
eth0/2 Mode:Route Untrust IP-Subnet.4/28
eth0/2 Mode:Route Gateway IP-Subnet.7/28

 

The first routes packets:
(DMZ)IP-Net.0/24 -> (Untrust)IP-Subnet.0/28
Default Route 0.0.0.0/0 -> (Untrust)IP-Subnet.7/28

 

 

 

The second SSG140 is on Firmware 6.3.0r16.0 and the device does not route.
Complete reset + ipv6="enabled"
Initial-Configuration:
eth0/0 Mode:NAT Trust 192.168.1.1
eth0/1 Mode:NAT DMZ IP-Subnet.82/28
eth0/2 Mode:Route Untrust IP-Subnet.26/28
eth0/2 Mode:Route Gateway IP-Subnet.19/28

 

The second should route packets from:
(DMZ)IP-Subnet.80/28 -> (Untrust)IP-Subnet.16/28
Default Route 0.0.0.0/0 -> (Untrust)IP-Subnet.19/28
I have set policys from DMZ to Untrust and Untrust to DMZ with options IP-ANY Port-ANY (for testing)
The router IP-Subnet.19/28 knows the Subnet 80/28 and 16/28.

 

Problem is now:
Ping on eth0/1 DMZ IP-Subnet.82/28 successful
Ping on eth0/2 Untrust IP-Subnet.26/28 successful
Ping on eth0/2 Gateway IP-Subnet.19/28 not successful
Ping on 8.8.8.8 not successful

 

When I set in Policys - NAT Source Translation the I got a successful Ping but no Nameresolution or something else.
But the routing on the first device works without NAT Source Translation in Policys.

 

Do I something wrong?
Has the configuration change with routing from 6.2.0 to 6.3.0?
I have no idea.......

 

Thanks a lot for your help.
Regards,
jn-c

4 REPLIES 4
Highlighted
Routing

Re: Routing Problem SSG 140 6.3.0r16.0

‎01-20-2014 05:04 AM

Your issue is not routing but the nat behavior.  

 

The use of interface based nat mode is deprecated and only works under some very specific conditions.  The prefered method is to create nat policies for the traffic as you noticed.

 

To get interface nat to work you must have the exact default zone names on the Untrust, Trust and DMZ interfaces.  And these will only nat traffic in specific directions from Trust/DMZ to Untrust zones.  Spelling must be exact.

 

Also confirm that on eth0/2 you have ping allowed under service options.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Routing

Re: Routing Problem SSG 140 6.3.0r16.0

[ Edited ]
‎01-20-2014 06:06 AM

Hi ,

 

all options are as you describe.

Spelling is exact the same (default setting) I have changed nothing (all settings are defaults)

Ping is also allowed on all interfaces.

 

During the initial-configuration I have entered the ip address for Untrust+Gateway and DMZ. Then I have created both Policys (all port open). It should still work with this configuration?

 

Regards,
jn-c

Highlighted
Routing

Re: Routing Problem SSG 140 6.3.0r16.0

‎01-20-2014 06:38 AM

Can you run a debug flow basic for the failed traffic?  This will describe the packet processing through the firewall and let us know where the process is failing.

 

expand for debug flow process

Spoiler

DEBUG FLOW BASIC :

==================

 

Prepare the tool

1. undebug all - we are assuring that the debug utility is not already running. 

2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter. 

 

Setup the capture

3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B) 

  set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

 

Capture the traffic

5. clear db - this will clear the debugging cache. 

6. debug flow basic - this turns the debugging utility on. 

7. initiate the traffic you are interested in capturing. 

 

Pull the data

8. undebug all - turns the utility back off.  

9. get db stream - this is the actual packet capture output that we want. 

 

Remove the setup

10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier. 

11.clear db - this will clear the cache.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Routing Problem SSG 140 6.3.0r16.0 (solved)

‎01-26-2014 10:36 PM

Hello,

 

the problem is solved. Thanks for your help.

The settings for the subnet has the wrong ganteway on the router so the router doesn't "know" the way for packets. Now its fixed and still working.

 

Regards,
jn-c

Feedback