Screen OS

Hi,

I'm running into a nat mess on the netscreen.

where running the latest build of 6.1.

The situation requires us to nat a server for specific flows outbound (using DIP) & inbound (using policy dst-nat) .

a MIP cannot be used as it would translate all traffic, which will break certain flows.

when we configured both the DIP & the policy dst-nat the DIP policies where working but not the dst nat.

In the log you could see:

****** 114826.0: <FW/ethernet0/2> packet received [48]******
  ipid = 5353(14e9), @2d6a6110
  packet passed sanity check.
  ethernet0/2:x.x.x.x/4080->y.y.y.y/80,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  packet dropped: for self but not interested

Is this kind of configuration supported? A policy dst nat with the same ip of a dip ?

tnx for the replies!

Hi Bart,

You are probably using 6.1r5.

There was a fix that was commited in this release that disabled nat-dst to be used for the addresses that have DIP defined.

You can find this in release notes for 6.1r5:

This has been fixed in 6.1r6 so now you can again have the configuration that you have mentioned:

Please upgrade to 6.1r6.

Thanks,

Nemanja

Hi Nemanja,

You are correct, we are using r5.

I opened the release notes of r5 & r6 , but I cannot find this info? Can you provide me with a bugid ?

Much appreciated,

Bart

Hi Bard,

In 6.1r5 this is the fix that brakes the functionallity:

■ 308572—Pinging a DIP IP address results in routing loop with upstream device.

Unfortunatelly in 6.1r6  release notes it is not stated that it is again possible to combine dip and nat-dst for the same address in the config. But I know that it is fixed 🙂

Thanks,

Nemanja