ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Internal cannot reach internet

3 weeks ago

Ethernet0/0 with IP 1.1.1.1. Which connected to the modem

I've an existing subnet 192.168.1.0/24 set at interface ethernet0/1. Computers within this subnet can reach internet .

Now, I created another subnet 192.168.2.0/24 set at interface ethernet0/2. Computers in this subnet can ping to 1.1.1.1. But cannot ping further more.

1.1.1.1 belongs to untrust zone and using virtual router 1.

192.168.1.0/24 subnet belong to trust zone and using virtual router 2.

192.168.2.0/24 subnet use the new created DMZ zone and using virtual router 2 too.

Destination default route which next hop is virtual router 1 was set. 192.168.1.0/24 should use this to reach internet. I expect 192.168.2.0/24 should use this too.

Policy from DMZ zone to untrust zone permit all was set.

 

I don't see anything missing. Just simply copy the settings from 192.168.1.0/24. I suppose it should work.

6 REPLIES 6
ScreenOS Firewalls (NOT SRX)

Re: Internal cannot reach internet

3 weeks ago

Hi,

 

As you are able to reach 1.1.1.1, it looks like an issue with the source NAT. Please check you have configured NAT for the subnet 192.168.2.0/24, either interface based NAT or policy based Src-NAT so that the replay can route back to the firewall IP.

 

Thanks and Regards,

Pradeep Kumar M

ScreenOS Firewalls (NOT SRX)

Re: Internal cannot reach internet

2 weeks ago

Hello paradkm,

Found that the ethernet0/2 interface mode was set to "Route". I changed back to "NAT" (which is ethernet0/1 setting). But still unable to ping external public IP.

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author jlotag
2 weeks ago

Re: Internal cannot reach internet

2 weeks ago

Hi,

 

Can you initiaite some traffic to the Internet and capture the session output using get session src-ip <Src-IP used>.

 

You can read the session information using https://kb.juniper.net/InfoCenter/index?page=content&id=KB24728 . If source NAT is being done, can you enable policy based NAT on the already existing policy from DMZ to untrust and check.

 

Thanks and Regards,

Pradeep Kumar

ScreenOS Firewalls (NOT SRX)

Re: Internal cannot reach internet

[ Edited ]
2 weeks ago

Hello pradkm,

The real settings as below 

ethernet0/4, DMZ, IP 10.10.20.1

A computer with IP 10.10.20.2

When ping 8.8.8.8 from 10.10.20.2. get session show below logs

SSG140(M)-> get session src-ip 10.10.20.2
alloc 813/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 47251
Total 31 sessions according filtering criteria.
id 41497/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 5, dip 0 module 0
 if 8(nspflag 800801):10.10.20.2/27->8.8.8.8/2251,1,0050568af8c4,sess token 13,vlan 0,tun 0,vsd 0,route 25
 if 22(nspflag 800800):10.10.20.2/27<-8.8.8.8/2251,1,54e03296dbc1,sess token 4,vlan 0,tun 0,vsd 0,route 1
id 41698/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 6, dip 0 module 0
 if 8(nspflag 800801):10.10.20.2/31->8.8.8.8/2251,1,0050568af8c4,sess token 13,vlan 0,tun 0,vsd 0,route 25
 if 22(nspflag 800800):10.10.20.2/31<-8.8.8.8/2251,1,54e03296dbc1,sess token 4,vlan 0,tun 0,vsd 0,route 1
id 42014/s**,vsys 0,flag 00000040/0000/0001/0000,policy 50,time 5, dip 0 module 0

directly ping from gateway interface by "ping 8.8.8.8 from ethernet0/4" failed too.

According to route id

route 1 is the default route

--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         1          0.0.0.0/0      ethernet0/0  123.123.123.123  SP   20      1     Root

route 25 is auto created by SSG itself when I enabled the ethernet0/4

--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        25      10.10.20.0/24         eth0/4         0.0.0.0   C    0      0     Root
ScreenOS Firewalls (NOT SRX)

Re: Internal cannot reach internet

2 weeks ago

Hello pradkm,

After enable "Source Transalation" (DIP on None (Use Egress Interface IP)) in the policy of "From DMZ to Untrust". Ping to outside works.

But I wonder why the policy of "Trust to Untrust" no need such setting.

ScreenOS Firewalls (NOT SRX)

Re: Internal cannot reach internet

2 weeks ago

Hi,

 

I am glad its working.

 

interface based NAT not working in DMZ zone - What I can think of is the use of custom VR's not allowing interface NAT for DMZ.

 

If it is Trust-VR, interface based NAT works only for trust - Unturst, DMZ- Untrust, for other custom zones, you need to enable it on the policy.

 

Thanks and Regards,

Pradeep Kumar M