?
Solved

Configuring MIP on Netscreen / Juniper NS25

Posted on 2008-06-26
9
Medium Priority
?
3,111 Views
Last Modified: 2010-05-18
Dear Experts,
I really need some help setting up a MIP for 2 ip addresses (one for our mail server and another for our SSL VPN, cant put it into a DMZ at the moment) - This is on a NS25 running 5.0.0r6.0 - unfortunately I am out of maintenance so cant upgrade the software on it.

On this NS25 - three interfaces are active.
E1 - Trusted - 172.16.x.x  (NAT mode)
E2 - Untrusted 10.29.x.2  (Route mode)
E3 - Untrusted 10.31.x.2  (Route mode
Default gateway 10.31.x.1 (Cisco router)

This is setup as follows :  I have one interface on the Cisco router (don't adminster that) which has dual ip addresses (10.29.x.1) and 10.31.x.1) which goes into a seperate switch, both untrusted interfaces from NS25 go into this switch and the trusted interface goes into our LAN switch.

I need to setup a MIP for 10.31.x.5 -> 172.16.x.19 (SSL VPN) and 10..29.x.5 -> 172.16.x.9 (email)

Heres what I did for the mail server, went into the Interface for E2 > MIP > New:

Mapped IP/Netmask
10.29.x.6/32
Host IP
172.16.x.9
trust-vr router

I then setup a Policy.  Untrust > Trust > New - Source IP - ANY, Dest IP > MIP 10.29.x.6   Service : MAIL (Tried ANY also just out of interest) - logging on.

Did the same for the other MIP 10.31.x.5 on E3 Interface

Mapped IP/Netmask
10.31.x.5/32
Host IP
172.16.x.19
trust-vr router

Policy = Untrust > Trust > New - Source IP - ANY, Dest IP > MIP 10.31.x.6   Service : HTTP/HTTPS

Both MIPs fail to work and I have no idea why, nothing is logged, regular internet access is working fine, just don't know how to get this inbound traffic working.  I am very new to netscreen / juniper firewalls so would really appreciate an experts help :)

Thanks in advance. Wish I could offer more points than 250 but thats all I have!

 
0
Comment
Question by:MostlyConfused
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21881217
What is the Action; please make sure it is set to "Permit"; also what logs you get on the device. Click on Policy and then click the mesh thing to view policy logs.

What you did looks good to me.

Please update.

Thank you.
0
 

Author Comment

by:MostlyConfused
ID: 21881532
Hi dpk_wal

I have got PERMIT set on both policies for the MIPs, service is also ANY just to try and get it working.  I have run a snoop and debug on the NS25 - I will paste the out put below (this is trying to access the 10.31.x.5 MIP)
Snoop off
ns25-> get dbuf stream
01632.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39506, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01635.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39508, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01641.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39510, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01653.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39512, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01655.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
--- more ---
              vhl=45, tos=00, id=8463, frag=4000, ttl=57
              tcp:ports 43122->80, seq=3236369841, ack=0, flag=a002/SYN

01656.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=32583, frag=4000, ttl=57
              tcp:ports 43142->80, seq=2585512207, ack=0, flag=a002/SYN

01659.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=32585, frag=4000, ttl=57
              tcp:ports 43142->80, seq=2585512207, ack=0, flag=a002/SYN

ns25->


Heres the output of the debug, again trying the ssl vpn MIP:


debug flow blas      asc  ic          a  basic
ns25-> undebug all
ns25-> get dbuf stream
****** 01865.0: <Untrust/ethernet3> packet received [60]******
  ipid = 44359(ad47), @c7d48910
  packet passed sanity check.
  ethernet3:62.x.y.z/46230->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:550) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 550
--- more ---
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01868.0: <Untrust/ethernet3> packet received [60]******
  ipid = 44361(ad49), @c7d49110
  packet passed sanity check.
  ethernet3:62.x.y.z/46230->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 550
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01869.0: <Untrust/ethernet3> packet received [60]******
  ipid = 26868(68f4), @c7d4a910
  packet passed sanity check.
  ethernet3:62.x.y.z/46312->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
--- more ---
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:553) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 553
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01871.0: <Untrust/ethernet3> packet received [60]******
  ipid = 24962(6182), @c7d4c110
  packet passed sanity check.
  ethernet3:62.x.y.z/46338->10.31.x.5/80,6<Root>
--- more ---
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:555) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 555
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
--- more ---
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01874.0: <Untrust/ethernet3> packet received [60]******
  ipid = 24964(6184), @c7d4c910
  packet passed sanity check.
  ethernet3:62.x.y.z/46338->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 555
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01875.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61043(ee73), @c7d4e110
  packet passed sanity check.
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
--- more ---
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:557) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01878.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61045(ee75), @c7d4e910
  packet passed sanity check.
--- more ---
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01884.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61047(ee77), @c7d50110
  packet passed sanity check.
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
ns25->    

I did filter by dst-ip so hopefully this isn't too much output.

Thanks for your help
0
 

Author Comment

by:MostlyConfused
ID: 21881536
Sorry forgot add - I don't get anything logged in the logs under Policies - click on the log icon on the mip - no entries.

Thanks
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 32

Expert Comment

by:dpk_wal
ID: 21882464
I think the traffic is not hitting the rule at all and is hitting some other rule (may be generic or denying traffic); the policy rules are applied in the order they appear; so make sure that the MIP policy rules are listed on top of rules which are less restrictive or deny access.

If still problem persists, please give output of:
get policy

Thank you.
0
 
LVL 1

Expert Comment

by:packetgod
ID: 21882603
Just a quick question, is the interface E1 on the same subnet as the mapped IP's?  I'm wondering if there could be a missed route somewhere internal?:

search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1

Otherwise it looks like the packet gets accepted, matches policy 3, and routed from E3 to E1.  Then another packet comes in and it matches the existing session and it gets sent through.  On your dbuf stream I only see one way requests, does the server at the end ever respond?  Does the SSL VPN ever respond on 80 or only 443?  

So far it all looks good incoming, we need to see whats happening after that.  If you feel comfortable posting your entire config (sanatized)  I can load it up in my lab and test it out.  Also try to see if you can see anything coming back from the SSL VPN.
0
 

Author Comment

by:MostlyConfused
ID: 21883027
thanks both for your comments, Dpk wal - we only have 2 inbound policies untrust to trust and that is just to permit both mips for any service on the  MIP for email.  Its like that just for testing at the moment.

Packetgod I have attached the entire config - thanks very much for your help.  The vpn doesn't reply on either port 80 or 443.  E1 interfaces ip is in the same subnet as both teh MIP addresses (172.16.1.9 and .19)

Heres the result of get policy :

ns25-> get policy
Total regular policies 3, Default deny.
    ID From     To       Src-address  Dst-address  Service  Action State   ASTLC
B
     2 Untrust  Trust    Any          MIP(10.29.2~ ANY      Permit enabled ---X-
X
     1 Trust    Untrust  Any          Any          ANY      Permit enabled -----
X
     3 Untrust  Trust    Any          MIP(10.31.2~ ESP      Permit enabled ---X-
X
                                                   HTTP
                                                   HTTPS
                                                   Network
ns25->

Heres the config:

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "ESP" protocol 50 src-port 1-65535 dst-port 0-0
set service "Network Connect UDP" protocol udp src-port 0-65535 dst-port 4500-4500
set service "H.323" timeout 2160
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password ""
set admin scs password disable username netscreen
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "Untrust"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.16.1.x/22
set interface ethernet1 nat
set interface ethernet2 ip 10.29.x.y/24
set interface ethernet2 route
set interface ethernet3 ip 10.31.x.y/24
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet2 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet2 manage ping
set interface ethernet3 manage ping
set interface "ethernet2" mip 10.29.x.y host 172.16.1.9 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip 10.31.x.y host 172.16.1.19 netmask 255.255.255.255 vrouter "trust-vr"
set hostname ns25
set ike respond-bad-spi 1

Thanks very much again.


0
 
LVL 1

Accepted Solution

by:
packetgod earned 1000 total points
ID: 21883534
Just to ask the question as we are seeing from your previous post incoming but no outgoing (could be just what you posted).  How does the Default Gateway look on the SSL VPN box?

You know what they say "In but no out, bad default route"

I'll get that loaded up, I don't see the policies but I should be able to configure them from the get policy statement.
0
 

Author Comment

by:MostlyConfused
ID: 21883651
Ahh good point!  The default gateway on the SSL box is not pointed at the trusted interface.   I will do that now and get back with the results.  
0
 

Author Closing Comment

by:MostlyConfused
ID: 31471050
Packetgod. Thanks so much, well that turned out to be a real easy fix in the end!  I thought there was something amiss with my config as this was the first MIP I had ever set up.  Default gateway was pointing at the wrong ip address on the mail server and ssl vpn.  Both work perfectly now.  Thanks so much for your help :)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question