Solved

Outbound route Issues

Posted on 2009-04-01
5
1,045 Views
Last Modified: 2013-11-30
This unit is setup for routing Virtual IP addresses to internal local IP addresses.

I have rules setup to allow inbound http and https traffic and I am seeing that go threw just fine in the logs.

The unit is not able to update DNS requests from the net.

The other issue is yes the http traffic requests are coming in but the brower times out on the request it looks like one of the nat rules or the policys is causing issues on the traffic flowing back out.  I know its prolly something that I have overlooked.
unset key protection enable

set clock ntp

set clock timezone -5

set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00

set vrouter trust-vr sharable

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset auto-route-export

exit

set service "vrrp" protocol 112 src-port 0-65535 dst-port 0-65535 

set alg appleichat enable

unset alg appleichat re-assembly enable

set alg sctp enable

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "admin"

set admin password ""

set admin user "test" password "" privilege "all"

set admin http redirect

set admin auth web timeout 10

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "DMZ" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

unset zone "V1-Trust" tcp-rst 

unset zone "V1-Untrust" tcp-rst 

set zone "DMZ" tcp-rst 

unset zone "V1-DMZ" tcp-rst 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

set zone "Untrust" screen alarm-without-drop

set zone "Untrust" screen icmp-flood

set zone "Untrust" screen udp-flood

set zone "Untrust" screen winnuke

set zone "Untrust" screen port-scan

set zone "Untrust" screen ip-sweep

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ip-spoofing

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "Untrust" screen syn-frag

set zone "Untrust" screen tcp-no-flag

set zone "Untrust" screen unknown-protocol

set zone "Untrust" screen ip-bad-option

set zone "Untrust" screen ip-record-route

set zone "Untrust" screen ip-timestamp-opt

set zone "Untrust" screen ip-security-opt

set zone "Untrust" screen ip-loose-src-route

set zone "Untrust" screen ip-strict-src-route

set zone "Untrust" screen ip-stream-opt

set zone "Untrust" screen icmp-fragment

set zone "Untrust" screen icmp-large

set zone "Untrust" screen syn-fin

set zone "Untrust" screen fin-no-ack

set zone "Untrust" screen limit-session source-ip-based

set zone "Untrust" screen syn-ack-ack-proxy

set zone "Untrust" screen block-frag

set zone "Untrust" screen limit-session destination-ip-based

set zone "Untrust" screen component-block zip

set zone "Untrust" screen component-block jar

set zone "Untrust" screen component-block exe

set zone "Untrust" screen component-block activex

set zone "Untrust" screen icmp-id

set zone "Untrust" screen tcp-sweep

set zone "Untrust" screen udp-sweep

set zone "Untrust" screen ip-spoofing zone-based

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "ethernet0/0" zone "Untrust"

set interface "ethernet0/1" zone "Null"

set interface "ethernet0/2" zone "Null"

set interface "bgroup0/0" zone "Trust"

set interface bgroup0/0 port ethernet0/2

set interface bgroup0/0 port ethernet0/3

set interface bgroup0/0 port ethernet0/4

set interface bgroup0/0 port ethernet0/5

set interface bgroup0/0 port ethernet0/6

set interface bgroup0/0 port ethernet0/7

set interface bgroup0/0 port ethernet0/8

set interface bgroup0/0 port ethernet0/9

set interface ethernet0/0 ip ***.***.***.141/28

set interface ethernet0/0 route

unset interface vlan1 ip

set interface bgroup0/0 ip 172.16.1.30/24

set interface bgroup0/0 nat

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface ethernet0/0 ip manageable

set interface bgroup0/0 ip manageable

set interface vlan1 manage mtrace

set interface ethernet0/0 vip interface-ip

set interface ethernet0/0 vip ***.***.***.140 443 "HTTPS" 172.16.1.51

set interface ethernet0/0 vip ***.***.***.140 + 80 "HTTP" 172.16.1.51

set interface ethernet0/0 vip ***.***.***.142 80 "HTTP" 172.16.1.202

set interface ethernet0/0 vip ***.***.***.142 + 443 "HTTPS" 172.16.1.202

unset flow no-tcp-seq-check

set flow tcp-syn-check

unset flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set hostname taos-edge-1

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set dns host dns1 198.41.0.4 src-interface ethernet0/0

set dns host dns2 192.33.4.12 src-interface ethernet0/0

set dns host dns3 128.63.2.53 src-interface ethernet0/0

set dns host schedule 06:28

set address "Trust" "172.16.1.204/255.255.255.0" 172.16.1.204 255.255.255.0

set address "Trust" "172.16.1.204/32" 172.16.1.204 255.255.255.255

set address "Untrust" "***.***.***.130/255.255.255.240" ***.***.***.130/255.255.255.240 

set crypto-policy

exit

set ike respond-bad-spi 1

set ike ikev2 ike-sa-soft-lifetime 60

unset ike ikeid-enumeration

unset ike dos-protection

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

set url protocol websense

exit

set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.142)" "HTTP" nat dst ip 172.16.1.202 permit log count 

set policy id 11 application "HTTP"

set policy id 11

set service "HTTP-EXT"

set service "HTTPS"

exit

set policy id 10 name "testing.*******.net" from "Untrust" to "Trust"  "Any" "VIP(***.***.***.140)" "HTTP" permit log count 

set policy id 10 application "HTTP"

set policy id 10

set service "HTTP-EXT"

set service "HTTPS"

exit

set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "UDP-ANY" nat src permit log count 

set policy id 4

exit

set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "TCP-ANY" nat src permit log count 

set policy id 3

exit

set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "DNS" nat src permit log count 

set policy id 2

exit

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ICMP-ANY" nat src permit log count 

set policy id 1

exit

set syslog config "172.16.1.51"

set syslog config "172.16.1.51" facilities local0 local0

set syslog config "172.16.1.51" log traffic

set syslog config "172.16.1.51" transport tcp

set syslog src-interface bgroup0/0

set syslog enable

set webtrends host-name "172.16.1.51"

set webtrends enable

set log module system level emergency destination console

set log module system level alert destination console

set log module system level critical destination console

set log module system level error destination console

set log module system level warning destination console

set log module system level notification destination console

set log module system level information destination console

set log module system level debugging destination console

set log module system level error destination webtrends

set log module system level warning destination webtrends

set log module system level information destination webtrends

set log module system level debugging destination webtrends

set firewall log-self

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set ssh enable

set config lock timeout 5

unset license-key auto-update

set ntp server "64.34.180.101"

set ntp server src-interface "ethernet0/0"

set ntp server backup1 "174.133.44.162"

set ntp server backup1 src-interface "ethernet0/0"

set ntp server backup2 "209.67.219.106"

set ntp server backup2 src-interface "ethernet0/0"

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

exit

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

Open in new window

0
Comment
Question by:cyexx
  • 3
5 Comments
 
LVL 16

Expert Comment

by:ccomley
ID: 24048179
I don't know Juniper, but I deeply suspect your problem lies somewhere around the line which says

set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "DNS" nat src permit log count

0
 

Author Comment

by:cyexx
ID: 24049031
that rule is allow traffic from trusted to untrusted to pull DNS info from the net and was working just fine.  But is not now.

The critical thing is getting the http traffic to work threw the unit
0
 

Author Comment

by:cyexx
ID: 24065482
any ideas on this since I am stumped on this
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24089818
Any reason for NAT in policies? IMHO it is not needed, and might lead to a double NAT.
0
 

Accepted Solution

by:
cyexx earned 0 total points
ID: 24384451
I found the issue.  The config had lost he gateway line

set gateway ***.***.***.***

this setting fixed the issues.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now