Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3715
  • Last Modified:

Juniper firewall config problem - gratuitous ARP overrunning network?

Hi,

I have a juniper router with ScreenOS 6.1 which is reportedly causing some ARP problems with my host. It's binding to all the IPs it can find.

I've attached the config file.  The firewall is setup to protect one server.  Collectively I have 5 IPs assigned by my host - I've entered them in the attached config file (1.1.19.135-1.1.19.139).

1.1.19.135 is assigned to the firewall
1.1.19.136-1.1.19.139 are assigned to the server, and are routed via NAT-DST.  This all worked fine for the last couple of days, except its been causing this problem constantly.

Interface 0/0 goes to the internet in Untrust
Interface 0/7 goes to the server in DMZ

However, today I received message from my host that all is not well.  They've said the firewall is trying to bind to every IP on the network and they've now disconnected it.

Here's some of their log:

Feb 11 11:02:05 mook kernel: arp: 1.1.19.86 moved from 00:1a:a2:2d:0f:8a to 00:22:83:98:de:00 on rl0
Feb 11 11:02:27 mook kernel: arp: 1.1.19.12 moved from 00:1b:d5:88:99:d6 to 00:22:83:98:de:00 on rl0
Feb 11 11:03:23 mook kernel: arp: 1.1.19.201 moved from 00:1b:d5:88:99:d6 to 00:22:83:98:de:00 on rl0
Feb 11 11:03:31 mook kernel: arp: 1.1.19.130 moved from 00:17:cb:49:8b:80 to 00:22:83:98:de:00 on rl0

I've done some reading this afternoon and I have a feeling it's G-ARP related.

Can anyone shed some light on this, and point me to fixing the config file? You would be a lifesaver!

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr" default-vrouter
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "Administrator"
set admin password "nDorBFr7IsnOcn4JWsuCYcHtbgDNTn"
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "untrust-vr"
set zone "DMZ" vrouter "untrust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
unset zone "Untrust" block 
set zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/8 phy full 1000mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Null"
set interface "ethernet0/7" zone "DMZ"
set interface "ethernet0/9" zone "Trust"
set interface ethernet0/0 ip 1.1.19.135/21
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/7 ip 10.0.0.1/8
set interface ethernet0/7 nat
set interface ethernet0/9 ip 192.168.1.1/24
set interface ethernet0/9 route
set interface "ethernet0/0" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/7 ip manageable
set interface ethernet0/9 ip manageable
set interface vlan1 broadcast arp
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/0 manage ident-reset
set interface ethernet0/7 manage ssh
set interface ethernet0/7 manage telnet
set interface ethernet0/7 manage snmp
set interface ethernet0/7 manage ssl
set interface ethernet0/7 manage web
unset interface ethernet0/9 manage ssh
unset interface ethernet0/9 manage snmp
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname FIREWALL
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 1.1.12.1 src-interface ethernet0/0
set dns host dns2 1.1.12.2 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set address "Untrust" "Server IP 1 - Sites" 1.1.19.136 255.255.248.0
set address "Untrust" "Server IP 2 - Email" 1.1.19.137 255.255.248.0
set address "Untrust" "Server IP 3 - Unused" 1.1.19.138 255.255.248.0
set address "Untrust" "Server IP 4 - Remote Access" 1.1.19.139 255.255.248.0
set address "DMZ" "Server" 10.0.0.10 255.0.0.0 "Server"
set group address "Untrust" "Server IPs"
set group address "Untrust" "Server IPs" add "Server IP 1 - Sites"
set group address "Untrust" "Server IPs" add "Server IP 2 - Email"
set group address "Untrust" "Server IPs" add "Server IP 3 - Unused"
set group address "Untrust" "Server IPs" add "Server IP 4 - Remote Access"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set arp nat-dst
set url protocol websense
exit
set policy id 1 from "DMZ" to "Untrust"  "Server" "Any" "HTTP" permit 
set policy id 1
exit
set policy id 3 from "DMZ" to "Untrust"  "Server" "Any" "DNS" permit 
set policy id 3
exit
set policy id 4 from "Untrust" to "Untrust"  "Any" "Server IPs" "RDP" nat dst ip 10.0.0.10 permit 
set policy id 4
exit
set policy id 5 from "Untrust" to "DMZ"  "Any" "Server" "RDP" permit 
set policy id 5
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/0 gateway 1.1.1.1 permanent
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
TNGIT
Asked:
TNGIT
  • 2
1 Solution
 
MysidiaCommented:
NAT-DST is essentially a feature that uses proxy arp for NAT addresses.
you've specified.

Proxy ARP of course means that you "bind" every IP that you wind up proxying ARP to your own address for (when someone asks to contact one of those addresses), as far as other hosts on the subnet are concerned.
In general, it is not recommended, except for very special circumstances.


Perhaps you intend to use proxy arp, but not for so many IP addresses...
In your posted output, you have
'
set interface ethernet0/0 ip 1.1.19.135/21
set route 0.0.0.0/0 interface ethernet0/0 gateway 1.1.1.1 permanent
'
But 1.1.1.1  is not in  1.1.19.135/21.

You _should_  have a direct interface on the same subnet as whatever you are choosing for your firewall to use as default gateway.


set address "Untrust" "Server IP 1 - Sites" 1.1.19.136 255.255.248.0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If  you want one ip,  the filter mask should be  255.255.255.255

0
 
TNGITAuthor Commented:
Hi Mysidia

Many thanks for that explanation, it was very interesting.

I did alter the real IP addresses to imaginary ones in my post so as not to draw attention - the default gateway is in actual fact on the same subnet as the untrust interface's IP.

I will adjust the filter mask to 255.255.255.255 and get things back up and running.  I'll read up on why this makes a difference.

You mentioned that Proxy ARP is not recommended - what would you recommend in place?

Thanks

0
 
QlemoC++ DeveloperCommented:
Isn't this a typical MIP/DIP/VIP case?
0
 
TNGITAuthor Commented:
Many thanks - mysidia your solution worked perfectly.

Qlemo, thanks for your comment - I am in the process of mapping the IPs instead of using NAT-dst.  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now