Screen OS

Our VPN issue was put on hold until we can figure this one out and I am having some trouble getting it working.  We have an SSG140 and are using the following interfaces:

 

0/0 - trust - local network

0/2 - untrust - external link to the internet

0/4 - web - webservers

0/6 - MPLS - Link to other location in our organization

 

We have policies in place to allow traffic between all of these interfaces and the routes for everything look ok.  Traffic between all of the interfaces except for 0/2 is working fine.  However the only interface that can seem to route traffic to and from 0/2 (out to the internet) is interface 0/0.   When running a traceroute from 0/4 to 0/2, I get to the interface itself and then the traceroute stops.  It is as if the device does not know how to get past this point.  i have looked over the routes and the policies about twenty times. Traceroutes from  0/0 to 0/2 are fine. and anything on the 0/0 interface can get out to the internet just fine.

Can you post a get route output? A debug output added would be even better!

Here is the route table.  I am sorry I am not very familiar with the console yet so I am still working on the debug output.

I will have that posted as soon as I get it.  The only interfaces we are using now are 0/0, 0/2, 0/4, and 0/6   the rest have been set up for future use. 

 

 

IPv4 Dest-Routes for <trust-vr> (16 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix                    Interface         Gateway        P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*  31      0.0.0.0/0                       eth0/2         66.XX.XX.XXX   S   20      1     Root
*    7      192.168.210.0/24         eth0/3         0.0.0.0               C    0      0     Root
*    9      192.168.205.0/24         eth0/4         0.0.0.0               C    0      0     Root
     3       192.168.202.0/24         eth0/1         0.0.0.0              C    0      0     Root
*  34      192.168.201.0/24         eth0/0         0.0.0.0               C    0      0     Root
*  40      192.168.253.0/24         eth0/5         0.0.0.0               C    0      0     Root
*  23      192.168.251.0/24         eth0/6         0.0.0.0               C    0      0     Root
*  36      192.168.1.0/24             eth0/6         192.168.251.1   S   20      1     Root
*  41      192.168.253.2/32         eth0/5         0.0.0.0               H    0      0     Root
*  35      192.168.201.1/32         eth0/0         0.0.0.0               H    0      0     Root
     4      192.168.202.1/32         eth0/1         0.0.0.0               H    0      0     Root
*  10      192.168.205.1/32         eth0/4         0.0.0.0               H    0      0     Root
*  24      192.168.251.35/32       eth0/6         0.0.0.0               H    0      0     Root
*    8      192.168.210.1/32         eth0/3         0.0.0.0               H    0      0     Root
*  33      66.XX.XX.XXX/32         eth0/2         0.0.0.0               H    0      0     Root
*  32      66.XX.XX.XXX/28         eth0/2         0.0.0.0               C    0      0     Root

 

 

The routing is fine. I suspect that its either:

- you havent got a policy

or - you havent got "nat src" configured on the policy.

 

if the traffic is not being natted when its sent out of the untrust, naturally it will be dropped and you will not get a response.

Of course, if its not the above 2 then we will really need to look at the debugs.

 

For debugging;

 

on consoe:

 

set ff src-ip X.X.X.X (X is ip for the source)

set ff dst-ip X.X.X.X

debug flow basic

--> run the test

--> Press esc to stop the debugs

get db str

 

you can also check the "get sessions src-ip X.X.X.X" output which will tell you whether the traffic is being natted or not.

would not having "nat src" configured affect the trust interface (0/0) also?  I set up the policies for the 0/4 interface to look exactly like those on the 0/0 interface.  the 0/0 interface is working fine (does not have "nat src" configured) but the 0/4 interface is not.  tracert makes it as far as the 0/4 interface IP 192.168.205.1 and then dies.

 

Ok the debug file is huge.  I cut a big part out and posting it below. 

  existing vector list 1-45e3070.
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5b0114
  packet passed sanity check.
  ethernet0/4:192.168.205.10/22861->74.125.45.100/2569,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.45.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.45.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.45.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.45.100, port 38906, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47618) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.45.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47618
  post addr xlation: 192.168.205.10->74.125.45.100.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5bb914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/18777->208.67.222.222/57415,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->208.67.222.222) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 208.67.222.222->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 208.67.222.222) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.67.222.222, port 46255, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47668) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 208.67.222.222->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47668
  post addr xlation: 192.168.205.10->208.67.222.222.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5ba914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/35933->74.125.45.100/1862,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.45.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.45.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.45.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.45.100, port 14765, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47753) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.45.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47753
  post addr xlation: 192.168.205.10->74.125.45.100.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5c3914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/2655->74.125.45.100/30789,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.45.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.45.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.45.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.45.100, port 16044, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47892) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.45.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47892
  post addr xlation: 192.168.205.10->74.125.45.100.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5cf914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/59488->74.125.45.100/56388,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.45.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.45.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.45.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.45.100, port 38749, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47883) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.45.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47883
  post addr xlation: 192.168.205.10->74.125.45.100.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5b3914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/26210->74.125.45.100/16196,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.45.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.45.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.45.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.45.100, port 44124, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47872) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.45.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47872
  post addr xlation: 192.168.205.10->74.125.45.100.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 1913408.0: <Secure_WEB/ethernet0/4> packet received [84]******
  ipid = 0(0000), @1d5a4914
  packet passed sanity check.
  ethernet0/4:192.168.205.10/34378->74.125.67.100/14346,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/4>, out <N/A>
  chose interface ethernet0/4 as incoming nat if.
  flow_first_routing: in <ethernet0/4>, out <N/A>
  search route to (ethernet0/4, 192.168.205.10->74.125.67.100) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 31.route 74.125.67.100->66.xx.xx.xxx, to ethernet0/2
  routed (x_dst_ip 74.125.67.100) from ethernet0/4 (ethernet0/4 in 0) to ethernet0/2
  policy search from zone 103-> zone 1
 policy_flow_search  policy search nat_crt from zone 103-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.125.67.100, port 56656, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 18
  No src xlate   choose interface ethernet0/2 as outgoing phy if
  no loop on ifp ethernet0/2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/4>, out <ethernet0/2>
  existing vector list 1-45e3070.
  Session (id:47583) created for first pak 1
  flow_first_install_session======>
  route to 66.xx.xx.xxx
  arp entry found for 66.xx.xx.xxx
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet0/2, 74.125.67.100->192.168.205.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/4
  [ Dest] 9.route 192.168.205.10->192.168.205.10, to ethernet0/4
  route to 192.168.205.10
  flow got session.
  flow session id 47583
  post addr xlation: 192.168.205.10->74.125.67.100.
 flow_send_vector_, vid = 0, is_layer2_if=0

Only from trust zone to untrust zone you'll get source natting based upon interface setting. That's nat by default. I recommand to put all interfaces in route mode and use nat src "use egress interface" (advanced policy setting) for all policy going to untrust.

Thanks all for the help.  Puting all interfaces into route mode and using egress interface worked like a charm.

You're wellcome! Now I suggest you refine your policies and configure other things you need!