ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

[ Edited ]
‎02-01-2019 02:44 AM

Hi I've got a MIP configured on a netscreen (v6.3) firewall, the inbound traffic works fine but when traffic from the internal host leaves to the internet, it doesn't use the MIP external IP Address but the WAN egress interface IP.

 

I thought that MIPs were bidirectional and i've made sure to have policies in both directions. I've tried other policy combinations that result in the main DIP being used. 

 

I've Included some output below:

 

#### Inbound Policy ####
set interface "loopback.2" mip 80.100.133.185 host 10.21.0.241 netmask 255.255.255.255 vr "trust"
set policy id 28 name "IPSec-80-100-133-185" from "untrust" to "trust" "Any" "MIP(80.100.133.185)" "IPSec" permit log
set policy id 28
set service "UDP-4500"
set service "UDP-500"
set log session-init
exit

### Outbound Policy ###
set policy id 63 name "IPSec-Any-DST" from "trust" to "untrust" "10.21.0.241/32" "Any" "IPSec" permit log
set policy id 63
set service "UDP-4500"
set service "UDP-500"
exit


### Interfaces ###
set interface ethernet0/8.1 ip 10.66.65.246/29
set interface ethernet0/8.1 nat
set interface ethernet0/9.1 ip 23.20.152.244/31
set interface ethernet0/9.1 route
set interface ethernet0/9.1 mtu 1500


### Flow Basic ###

****** 60353039.0: <trust/ethernet0/8.1> packet received [212]******
ipid = 15211(3b6b), @1d680118
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/8.1:10.21.0.241/500->50.60.253.153/500,17<Root>
no session found
flow_first_sanity_check: in <ethernet0/8.1>, out <N/A>
chose interface ethernet0/8.1 as incoming nat if.
flow_first_routing: in <ethernet0/8.1>, out <N/A>
search route to (ethernet0/8.1, 10.21.0.241->50.60.253.153) in vr trust for vsd-0/flag-0/ifp-null
cached route 0 for 50.60.253.153
add route 20 for 50.60.253.153 to route cache table
[ Dest] 20.route 50.60.253.153->23.20.152.245, to ethernet0/9.1
routed (x_dst_ip 50.60.253.153) from ethernet0/8.1 (ethernet0/8.1 in 0) to ethernet0/9.1
policy search from zone 101-> zone 102
policy_flow_search policy search nat_crt from zone 101-> zone 102
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 50.60.253.153, port 500, proto 17)
No SW RPC rule match, search HW rule
*** swrs_search_ip: policy matched id/idx/action = 63/23/0xd ***
*** Permitted by policy 63 ***
*** interface-nat dip id = 2, 10.21.0.241/500->23.20.152.244/3241 ***
choose interface ethernet0/9.1 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/9.1
vsd 0 is active
no loop on ifp ethernet0/9.1.
session application type 54, name None, nas_id 0, timeout 60sec
ALG vector is not attached
service lookup identified service 0.
flow_first_final_check: in <ethernet0/8.1>, out <ethernet0/9.1>
existing vector list 221-2cee614.
Session (id:27141) created for first pak 221
flow_first_install_session======>
route to 23.20.152.245
cached arp entry with MAC 000000000000 for 23.20.152.245
arp entry found for 23.20.152.245
ifp2 ethernet0/9.1, out_ifp ethernet0/9.1, flag 10800804, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/9.1, 50.60.253.153->10.21.0.241) in vr trust for vsd-0/flag-3000/ifp-ethernet0/8.1
cached route 0 for 10.21.0.241
add route 5 for 10.21.0.241 to route cache table
[ Dest] 5.route 10.21.0.241->10.66.65.241, to ethernet0/8.1
route to 10.66.65.241
cached arp entry with MAC 000000000000 for 10.66.65.241
add arp entry with MAC 00000c9ff5f3 for 10.66.65.241 to cache table
arp entry found for 10.66.65.241
ifp2 ethernet0/8.1, out_ifp ethernet0/8.1, flag 00800805, tunnel ffffffff, rc 1
flow got session.
flow session id 27141
flow_main_body_vector in ifp ethernet0/8.1 out ifp ethernet0/9.1
flow vector index 0x221, vector addr 0x2cee614, orig vector 0x2cee614
vsd 0 is active
post addr xlation: 23.20.152.244->50.60.253.153.
update policy out counter info.
packet send out to 0017dffe7000 through ethernet0/9.1


****** Traffic from source continues to use Internet Interface IP. There is no 'DIP 2' configured.... ********

 

 

Any help would be appreciated with the behaviour of this. 

 

 

4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author xn
‎02-06-2019 12:17 PM

Re: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

‎02-01-2019 02:47 AM

You will need to create the MIP on interface 9.1 instead of the loopback interface.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

‎02-01-2019 02:57 AM

Thank you so much, I had a feeling about that but I am new to the netscreens so wasn't sure. It's something that wasn't obvious to me from documentation Smiley Happy

 

Me and many many others on this forum appreciate your help

 

I'll let you know after I get around to testing this!

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

‎02-01-2019 03:24 AM

Just another question please, I've got my other VIP configured like this, will those behave in the same way?? Smiley Mad

 

I will ensure that routes are in place to the internal destination (mapped IP)

 

Sorry if this is asking too much. 

 

set interface "loopback.2" zone "untrust"
set interface loopback.2 ip 80.100.133.161/27
set interface loopback.2 route
set interface loopback.2 manage ping
set interface loopback.2 vip 80.100.133.170 443 "HTTPS" 10.0.99.211
set interface loopback.2 vip 80.100.133.170 + 4172 "TCP-UDP-4172" 10.0.99.211
set interface "loopback.2" mip 80.100.133.162 host 10.21.0.211 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.162 host 10.21.0.211 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.163 host 10.21.0.212 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.184 host 10.21.0.237 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.182 host 10.21.0.235 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.183 host 10.21.0.240 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.179 host 10.21.0.224 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.177 host 10.21.0.233 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.180 host 10.21.0.230 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.178 host 10.21.0.229 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.185 host 10.21.0.241 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.186 host 10.21.0.251 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.170 host 10.21.0.190 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.171 host 10.21.0.191 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.172 host 10.21.0.192 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.173 host 10.21.0.193 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.174 host 10.21.0.200 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.164 host 10.21.0.201 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.165 host 10.21.0.202 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.166 host 10.21.0.203 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.167 host 10.21.0.204 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.168 host 10.21.0.205 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.169 host 10.21.0.207 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.175 host 10.21.0.215 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.176 host 10.21.0.216 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.187 host 10.21.0.206 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.188 host 10.21.0.217 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.189 host 10.21.0.218 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.190 host 10.21.0.219 netmask 255.255.255.255 vr "trust"
set interface "loopback.2" mip 80.100.133.181 host 10.21.0.220 netmask 255.255.255.255 vr "trust"

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Netscreen with MIP configured to internal host uses egress interface IP for SNAT and not MIP IP.

‎02-01-2019 02:03 PM

Yes, the MIP and VIP should be placed on the ingress interface.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback