Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.
[ Edited ]
Hi I've got a MIP configured on a netscreen (v6.3) firewall, the inbound traffic works fine but when traffic from the internal host leaves to the internet, it doesn't use the MIP external IP Address but the WAN egress interface IP.
I thought that MIPs were bidirectional and i've made sure to have policies in both directions. I've tried other policy combinations that result in the main DIP being used.
I've Included some output below:
#### Inbound Policy #### set interface "loopback.2" mip 188.8.131.52 host 10.21.0.241 netmask 255.255.255.255 vr "trust" set policy id 28 name "IPSec-80-100-133-185" from "untrust" to "trust" "Any" "MIP(184.108.40.206)" "IPSec" permit log set policy id 28 set service "UDP-4500" set service "UDP-500" set log session-init exit
### Outbound Policy ### set policy id 63 name "IPSec-Any-DST" from "trust" to "untrust" "10.21.0.241/32" "Any" "IPSec" permit log set policy id 63 set service "UDP-4500" set service "UDP-500" exit
### Interfaces ### set interface ethernet0/8.1 ip 10.66.65.246/29 set interface ethernet0/8.1 nat set interface ethernet0/9.1 ip 220.127.116.11/31 set interface ethernet0/9.1 route set interface ethernet0/9.1 mtu 1500
### Flow Basic ###
****** 60353039.0: <trust/ethernet0/8.1> packet received ****** ipid = 15211(3b6b), @1d680118 packet passed sanity check. flow_decap_vector IPv4 process ethernet0/8.1:10.21.0.241/500->18.104.22.168/500,17<Root> no session found flow_first_sanity_check: in <ethernet0/8.1>, out <N/A> chose interface ethernet0/8.1 as incoming nat if. flow_first_routing: in <ethernet0/8.1>, out <N/A> search route to (ethernet0/8.1, 10.21.0.241->22.214.171.124) in vr trust for vsd-0/flag-0/ifp-null cached route 0 for 126.96.36.199 add route 20 for 188.8.131.52 to route cache table [ Dest] 20.route 184.108.40.206->220.127.116.11, to ethernet0/9.1 routed (x_dst_ip 18.104.22.168) from ethernet0/8.1 (ethernet0/8.1 in 0) to ethernet0/9.1 policy search from zone 101-> zone 102 policy_flow_search policy search nat_crt from zone 101-> zone 102 RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 22.214.171.124, port 500, proto 17) No SW RPC rule match, search HW rule *** swrs_search_ip: policy matched id/idx/action = 63/23/0xd *** *** Permitted by policy 63 *** *** interface-nat dip id = 2, 10.21.0.241/500->126.96.36.199/3241 *** choose interface ethernet0/9.1 as outgoing phy if check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/9.1 vsd 0 is active no loop on ifp ethernet0/9.1. session application type 54, name None, nas_id 0, timeout 60sec ALG vector is not attached service lookup identified service 0. flow_first_final_check: in <ethernet0/8.1>, out <ethernet0/9.1> existing vector list 221-2cee614. Session (id:27141) created for first pak 221 flow_first_install_session======> route to 188.8.131.52 cached arp entry with MAC 000000000000 for 184.108.40.206 arp entry found for 220.127.116.11 ifp2 ethernet0/9.1, out_ifp ethernet0/9.1, flag 10800804, tunnel ffffffff, rc 1 outgoing wing prepared, ready handle cleartext reverse route search route to (ethernet0/9.1, 18.104.22.168->10.21.0.241) in vr trust for vsd-0/flag-3000/ifp-ethernet0/8.1 cached route 0 for 10.21.0.241 add route 5 for 10.21.0.241 to route cache table [ Dest] 5.route 10.21.0.241->10.66.65.241, to ethernet0/8.1 route to 10.66.65.241 cached arp entry with MAC 000000000000 for 10.66.65.241 add arp entry with MAC 00000c9ff5f3 for 10.66.65.241 to cache table arp entry found for 10.66.65.241 ifp2 ethernet0/8.1, out_ifp ethernet0/8.1, flag 00800805, tunnel ffffffff, rc 1 flow got session. flow session id 27141 flow_main_body_vector in ifp ethernet0/8.1 out ifp ethernet0/9.1 flow vector index 0x221, vector addr 0x2cee614, orig vector 0x2cee614 vsd 0 is active post addr xlation: 22.214.171.124->126.96.36.199. update policy out counter info. packet send out to 0017dffe7000 through ethernet0/9.1
****** Traffic from source continues to use Internet Interface IP. There is no 'DIP 2' configured.... ********
Any help would be appreciated with the behaviour of this.