Solved

Configuring MIP on Netscreen / Juniper NS25

Posted on 2008-06-26
9
3,063 Views
Last Modified: 2010-05-18
Dear Experts,
I really need some help setting up a MIP for 2 ip addresses (one for our mail server and another for our SSL VPN, cant put it into a DMZ at the moment) - This is on a NS25 running 5.0.0r6.0 - unfortunately I am out of maintenance so cant upgrade the software on it.

On this NS25 - three interfaces are active.
E1 - Trusted - 172.16.x.x  (NAT mode)
E2 - Untrusted 10.29.x.2  (Route mode)
E3 - Untrusted 10.31.x.2  (Route mode
Default gateway 10.31.x.1 (Cisco router)

This is setup as follows :  I have one interface on the Cisco router (don't adminster that) which has dual ip addresses (10.29.x.1) and 10.31.x.1) which goes into a seperate switch, both untrusted interfaces from NS25 go into this switch and the trusted interface goes into our LAN switch.

I need to setup a MIP for 10.31.x.5 -> 172.16.x.19 (SSL VPN) and 10..29.x.5 -> 172.16.x.9 (email)

Heres what I did for the mail server, went into the Interface for E2 > MIP > New:

Mapped IP/Netmask
10.29.x.6/32
Host IP
172.16.x.9
trust-vr router

I then setup a Policy.  Untrust > Trust > New - Source IP - ANY, Dest IP > MIP 10.29.x.6   Service : MAIL (Tried ANY also just out of interest) - logging on.

Did the same for the other MIP 10.31.x.5 on E3 Interface

Mapped IP/Netmask
10.31.x.5/32
Host IP
172.16.x.19
trust-vr router

Policy = Untrust > Trust > New - Source IP - ANY, Dest IP > MIP 10.31.x.6   Service : HTTP/HTTPS

Both MIPs fail to work and I have no idea why, nothing is logged, regular internet access is working fine, just don't know how to get this inbound traffic working.  I am very new to netscreen / juniper firewalls so would really appreciate an experts help :)

Thanks in advance. Wish I could offer more points than 250 but thats all I have!

 
0
Comment
Question by:MostlyConfused
  • 5
  • 2
  • 2
9 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
What is the Action; please make sure it is set to "Permit"; also what logs you get on the device. Click on Policy and then click the mesh thing to view policy logs.

What you did looks good to me.

Please update.

Thank you.
0
 

Author Comment

by:MostlyConfused
Comment Utility
Hi dpk_wal

I have got PERMIT set on both policies for the MIPs, service is also ANY just to try and get it working.  I have run a snoop and debug on the NS25 - I will paste the out put below (this is trying to access the 10.31.x.5 MIP)
Snoop off
ns25-> get dbuf stream
01632.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39506, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01635.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39508, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01641.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39510, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01653.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=39512, frag=4000, ttl=57
              tcp:ports 42579->80, seq=3105368036, ack=0, flag=a002/SYN

01655.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
--- more ---
              vhl=45, tos=00, id=8463, frag=4000, ttl=57
              tcp:ports 43122->80, seq=3236369841, ack=0, flag=a002/SYN

01656.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=32583, frag=4000, ttl=57
              tcp:ports 43142->80, seq=2585512207, ack=0, flag=a002/SYN

01659.0: 6(i):003085f1d440->0010db57cd06/0800
              62.x.y.z->10.31.x.5/6, tlen=60
              vhl=45, tos=00, id=32585, frag=4000, ttl=57
              tcp:ports 43142->80, seq=2585512207, ack=0, flag=a002/SYN

ns25->


Heres the output of the debug, again trying the ssl vpn MIP:


debug flow blas      asc  ic          a  basic
ns25-> undebug all
ns25-> get dbuf stream
****** 01865.0: <Untrust/ethernet3> packet received [60]******
  ipid = 44359(ad47), @c7d48910
  packet passed sanity check.
  ethernet3:62.x.y.z/46230->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:550) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 550
--- more ---
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01868.0: <Untrust/ethernet3> packet received [60]******
  ipid = 44361(ad49), @c7d49110
  packet passed sanity check.
  ethernet3:62.x.y.z/46230->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 550
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01869.0: <Untrust/ethernet3> packet received [60]******
  ipid = 26868(68f4), @c7d4a910
  packet passed sanity check.
  ethernet3:62.x.y.z/46312->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
--- more ---
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:553) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 553
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01871.0: <Untrust/ethernet3> packet received [60]******
  ipid = 24962(6182), @c7d4c110
  packet passed sanity check.
  ethernet3:62.x.y.z/46338->10.31.x.5/80,6<Root>
--- more ---
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:555) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 555
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
--- more ---
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01874.0: <Untrust/ethernet3> packet received [60]******
  ipid = 24964(6184), @c7d4c910
  packet passed sanity check.
  ethernet3:62.x.y.z/46338->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 555
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01875.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61043(ee73), @c7d4e110
  packet passed sanity check.
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  chose interface ethernet3 as incoming nat if.
  search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1
  policy search from zone 1-> zone 2
  Permitted by policy 3
--- more ---
  No src xlate   choose interface ethernet1 as outgoing phy if
  no loop on ifp ethernet1.
  session application type 6, name HTTP, timeout 300sec
  service lookup identified service 0.
  existing vector list 3-25116f0.
  Session (id:557) created for first pak 3
  route to 172.16.1.19
  arp entry found for 172.16.1.19
  nsp2 wing prepared, ready
cache mac in the session
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
  existing vector list 3-25116f0.
****** 01878.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61045(ee75), @c7d4e910
  packet passed sanity check.
--- more ---
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
****** 01884.0: <Untrust/ethernet3> packet received [60]******
  ipid = 61047(ee77), @c7d50110
  packet passed sanity check.
  ethernet3:62.x.y.z/46397->10.31.x.5/80,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 557
  post addr xlation: 62.x.y.z->172.16.1.19.
  packet send out to 0030485b224a through ethernet1
ns25->    

I did filter by dst-ip so hopefully this isn't too much output.

Thanks for your help
0
 

Author Comment

by:MostlyConfused
Comment Utility
Sorry forgot add - I don't get anything logged in the logs under Policies - click on the log icon on the mip - no entries.

Thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I think the traffic is not hitting the rule at all and is hitting some other rule (may be generic or denying traffic); the policy rules are applied in the order they appear; so make sure that the MIP policy rules are listed on top of rules which are less restrictive or deny access.

If still problem persists, please give output of:
get policy

Thank you.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Expert Comment

by:packetgod
Comment Utility
Just a quick question, is the interface E1 on the same subnet as the mapped IP's?  I'm wondering if there could be a missed route somewhere internal?:

search route to (62.x.y.z->172.16.1.19) in vr trust-vr for vsd-0/flag-0/ifp-null
  route 172.16.1.19->0.0.0.0, to ethernet1
  routed (172.16.1.19, 0.0.0.0) from ethernet3 (ethernet3 in 0) to ethernet1

Otherwise it looks like the packet gets accepted, matches policy 3, and routed from E3 to E1.  Then another packet comes in and it matches the existing session and it gets sent through.  On your dbuf stream I only see one way requests, does the server at the end ever respond?  Does the SSL VPN ever respond on 80 or only 443?  

So far it all looks good incoming, we need to see whats happening after that.  If you feel comfortable posting your entire config (sanatized)  I can load it up in my lab and test it out.  Also try to see if you can see anything coming back from the SSL VPN.
0
 

Author Comment

by:MostlyConfused
Comment Utility
thanks both for your comments, Dpk wal - we only have 2 inbound policies untrust to trust and that is just to permit both mips for any service on the  MIP for email.  Its like that just for testing at the moment.

Packetgod I have attached the entire config - thanks very much for your help.  The vpn doesn't reply on either port 80 or 443.  E1 interfaces ip is in the same subnet as both teh MIP addresses (172.16.1.9 and .19)

Heres the result of get policy :

ns25-> get policy
Total regular policies 3, Default deny.
    ID From     To       Src-address  Dst-address  Service  Action State   ASTLC
B
     2 Untrust  Trust    Any          MIP(10.29.2~ ANY      Permit enabled ---X-
X
     1 Trust    Untrust  Any          Any          ANY      Permit enabled -----
X
     3 Untrust  Trust    Any          MIP(10.31.2~ ESP      Permit enabled ---X-
X
                                                   HTTP
                                                   HTTPS
                                                   Network
ns25->

Heres the config:

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "ESP" protocol 50 src-port 1-65535 dst-port 0-0
set service "Network Connect UDP" protocol udp src-port 0-65535 dst-port 4500-4500
set service "H.323" timeout 2160
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password ""
set admin scs password disable username netscreen
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "Untrust"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 172.16.1.x/22
set interface ethernet1 nat
set interface ethernet2 ip 10.29.x.y/24
set interface ethernet2 route
set interface ethernet3 ip 10.31.x.y/24
set interface ethernet3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet2 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet2 manage ping
set interface ethernet3 manage ping
set interface "ethernet2" mip 10.29.x.y host 172.16.1.9 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip 10.31.x.y host 172.16.1.19 netmask 255.255.255.255 vrouter "trust-vr"
set hostname ns25
set ike respond-bad-spi 1

Thanks very much again.


0
 
LVL 1

Accepted Solution

by:
packetgod earned 250 total points
Comment Utility
Just to ask the question as we are seeing from your previous post incoming but no outgoing (could be just what you posted).  How does the Default Gateway look on the SSL VPN box?

You know what they say "In but no out, bad default route"

I'll get that loaded up, I don't see the policies but I should be able to configure them from the get policy statement.
0
 

Author Comment

by:MostlyConfused
Comment Utility
Ahh good point!  The default gateway on the SSL box is not pointed at the trusted interface.   I will do that now and get back with the results.  
0
 

Author Closing Comment

by:MostlyConfused
Comment Utility
Packetgod. Thanks so much, well that turned out to be a real easy fix in the end!  I thought there was something amiss with my config as this was the first MIP I had ever set up.  Default gateway was pointing at the wrong ip address on the mail server and ssl vpn.  Both work perfectly now.  Thanks so much for your help :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now