Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Internal cannot reach internet

    Posted 11-20-2019 02:03

    Ethernet0/0 with IP 1.1.1.1. Which connected to the modem

    I've an existing subnet 192.168.1.0/24 set at interface ethernet0/1. Computers within this subnet can reach internet .

    Now, I created another subnet 192.168.2.0/24 set at interface ethernet0/2. Computers in this subnet can ping to 1.1.1.1. But cannot ping further more.

    1.1.1.1 belongs to untrust zone and using virtual router 1.

    192.168.1.0/24 subnet belong to trust zone and using virtual router 2.

    192.168.2.0/24 subnet use the new created DMZ zone and using virtual router 2 too.

    Destination default route which next hop is virtual router 1 was set. 192.168.1.0/24 should use this to reach internet. I expect 192.168.2.0/24 should use this too.

    Policy from DMZ zone to untrust zone permit all was set.

     

    I don't see anything missing. Just simply copy the settings from 192.168.1.0/24. I suppose it should work.



  • 2.  RE: Internal cannot reach internet

     
    Posted 11-20-2019 02:16

    Hi,

     

    As you are able to reach 1.1.1.1, it looks like an issue with the source NAT. Please check you have configured NAT for the subnet 192.168.2.0/24, either interface based NAT or policy based Src-NAT so that the replay can route back to the firewall IP.

     

    Thanks and Regards,

    Pradeep Kumar M



  • 3.  RE: Internal cannot reach internet

    Posted 11-20-2019 17:59

    Hello paradkm,

    Found that the ethernet0/2 interface mode was set to "Route". I changed back to "NAT" (which is ethernet0/1 setting). But still unable to ping external public IP.



  • 4.  RE: Internal cannot reach internet
    Best Answer

     
    Posted 11-20-2019 18:30

    Hi,

     

    Can you initiaite some traffic to the Internet and capture the session output using get session src-ip <Src-IP used>.

     

    You can read the session information using https://kb.juniper.net/InfoCenter/index?page=content&id=KB24728 . If source NAT is being done, can you enable policy based NAT on the already existing policy from DMZ to untrust and check.

     

    Thanks and Regards,

    Pradeep Kumar



  • 5.  RE: Internal cannot reach internet

    Posted 11-20-2019 18:46

    Hello pradkm,

    The real settings as below 

    ethernet0/4, DMZ, IP 10.10.20.1

    A computer with IP 10.10.20.2

    When ping 8.8.8.8 from 10.10.20.2. get session show below logs

    SSG140(M)-> get session src-ip 10.10.20.2
alloc 813/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 47251
Total 31 sessions according filtering criteria.
id 41497/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 5, dip 0 module 0
 if 8(nspflag 800801):10.10.20.2/27->8.8.8.8/2251,1,0050568af8c4,sess token 13,vlan 0,tun 0,vsd 0,route 25
 if 22(nspflag 800800):10.10.20.2/27<-8.8.8.8/2251,1,54e03296dbc1,sess token 4,vlan 0,tun 0,vsd 0,route 1
id 41698/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 6, dip 0 module 0
 if 8(nspflag 800801):10.10.20.2/31->8.8.8.8/2251,1,0050568af8c4,sess token 13,vlan 0,tun 0,vsd 0,route 25
 if 22(nspflag 800800):10.10.20.2/31<-8.8.8.8/2251,1,54e03296dbc1,sess token 4,vlan 0,tun 0,vsd 0,route 1
id 42014/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 5, dip 0 module 0

    directly ping from gateway interface by "ping 8.8.8.8 from ethernet0/4" failed too.

    According to route id

    route 1 is the default route

    --------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         1          0.0.0.0/0      ethernet0/0  123.123.123.123  SP   20      1     Root

    route 25 is auto created by SSG itself when I enabled the ethernet0/4

    --------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        25      10.10.20.0/24         eth0/4         0.0.0.0   C    0      0     Root


  • 6.  RE: Internal cannot reach internet

    Posted 11-20-2019 19:22

    Hello pradkm,

    After enable "Source Transalation" (DIP on None (Use Egress Interface IP)) in the policy of "From DMZ to Untrust". Ping to outside works.

    But I wonder why the policy of "Trust to Untrust" no need such setting.



  • 7.  RE: Internal cannot reach internet

     
    Posted 11-20-2019 21:17

    Hi,

     

    I am glad its working.

     

    interface based NAT not working in DMZ zone - What I can think of is the use of custom VR's not allowing interface NAT for DMZ.

     

    If it is Trust-VR, interface based NAT works only for trust - Unturst, DMZ- Untrust, for other custom zones, you need to enable it on the policy.

     

    Thanks and Regards,

    Pradeep Kumar M