ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

ssg debug explanation

‎06-18-2018 05:00 AM

Hi,
I am able to ping to this destination over VPN and VPN is configured in my SSG firewall.
I would like to know the debug analysis like after the packet goes to eth3/3 i do not see the message which says reply has come on the same interface and goes out. Could some one give me debug analysis.
This would be one time explanation which can be used for furture reference.

Thank you.

source > 171.74.126.8 >
destination > 146.147.28.46 (Nat IP 10.154.8.125)

I ran the below debug to understand the packet flow in netscreen.


set console dbuf
set db size 4096
get ffilter
set ffilter dst-ip 146.147.28.46
clear dbuf
debug flow basic

SSG550(M)-> get ffilter
Flow filter based on:
id:0 dst ip 146.147.28.46
id:1 src ip 146.147.28.46


This is the simple setup we have.
servers----------inside------|-------outside--------
--------------------eth3/3-<FW>-eth3/0--------------
---10.0.4.1------10.0.4.7----|-----132.190.53.10----

 

I always get the below log, not seeing the packet coming from kind of... 🙂

packet send out to 001b17000111 through ethernet3/3

 

regards

Rajesh

Attachments

4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ssg debug explanation

‎06-18-2018 06:05 AM

Hello,

 

Try adding the filter for source IP 10.154.8.125 as well.
This should show you reply packet as well coming on eth3/3 and going to the tunnel interface.

 

Regards,

 

Rushi

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ssg debug explanation

‎06-18-2018 08:15 AM

Thank you. Now i do see some clear details...

so, what is the practice of making the filter ?

always with destination as nat ip and source as private ip ?

Any useful area in the debugs to be noted during such connectivity cases from the attached txt ?

Or, would you like to mention anything within the txt file ? 🙂

Thank you.

Attachments

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ssg debug explanation

‎06-18-2018 08:18 AM

src : 171.74.126.8
dst : 146.147.28.46 (nat ip) / 10.154.8.125 (pvt ip)
fw inside lan's g/w : 10.0.4.1
remote gw : 198.142.2.4
fw eth 3/0 : 132.190.53.10

Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author rajeshpvk3
‎06-19-2018 01:03 AM

Re: ssg debug explanation

‎06-19-2018 12:31 AM

Hello,

 

In cases of NAT, we can use 4 filters.

 

Source + NATed IP as destination

Source + Real IP as destination

and opposite context of above two filters.

 

Below link gives nice explanation for the same.

 

https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch01s03.html

 

Regards,

 

Rushi

Feedback