[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Outbound route Issues

Posted on 2009-04-01
5
Medium Priority
?
1,059 Views
Last Modified: 2013-11-30
This unit is setup for routing Virtual IP addresses to internal local IP addresses.

I have rules setup to allow inbound http and https traffic and I am seeing that go threw just fine in the logs.

The unit is not able to update DNS requests from the net.

The other issue is yes the http traffic requests are coming in but the brower times out on the request it looks like one of the nat rules or the policys is causing issues on the traffic flowing back out.  I know its prolly something that I have overlooked.
unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "vrrp" protocol 112 src-port 0-65535 dst-port 0-65535 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password ""
set admin user "test" password "" privilege "all"
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "Untrust" screen ip-spoofing zone-based
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Null"
set interface "bgroup0/0" zone "Trust"
set interface bgroup0/0 port ethernet0/2
set interface bgroup0/0 port ethernet0/3
set interface bgroup0/0 port ethernet0/4
set interface bgroup0/0 port ethernet0/5
set interface bgroup0/0 port ethernet0/6
set interface bgroup0/0 port ethernet0/7
set interface bgroup0/0 port ethernet0/8
set interface bgroup0/0 port ethernet0/9
set interface ethernet0/0 ip ***.***.***.141/28
set interface ethernet0/0 route
unset interface vlan1 ip
set interface bgroup0/0 ip 172.16.1.30/24
set interface bgroup0/0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0/0 ip manageable
set interface vlan1 manage mtrace
set interface ethernet0/0 vip interface-ip
set interface ethernet0/0 vip ***.***.***.140 443 "HTTPS" 172.16.1.51
set interface ethernet0/0 vip ***.***.***.140 + 80 "HTTP" 172.16.1.51
set interface ethernet0/0 vip ***.***.***.142 80 "HTTP" 172.16.1.202
set interface ethernet0/0 vip ***.***.***.142 + 443 "HTTPS" 172.16.1.202
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname taos-edge-1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 198.41.0.4 src-interface ethernet0/0
set dns host dns2 192.33.4.12 src-interface ethernet0/0
set dns host dns3 128.63.2.53 src-interface ethernet0/0
set dns host schedule 06:28
set address "Trust" "172.16.1.204/255.255.255.0" 172.16.1.204 255.255.255.0
set address "Trust" "172.16.1.204/32" 172.16.1.204 255.255.255.255
set address "Untrust" "***.***.***.130/255.255.255.240" ***.***.***.130/255.255.255.240 
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(***.***.***.142)" "HTTP" nat dst ip 172.16.1.202 permit log count 
set policy id 11 application "HTTP"
set policy id 11
set service "HTTP-EXT"
set service "HTTPS"
exit
set policy id 10 name "testing.*******.net" from "Untrust" to "Trust"  "Any" "VIP(***.***.***.140)" "HTTP" permit log count 
set policy id 10 application "HTTP"
set policy id 10
set service "HTTP-EXT"
set service "HTTPS"
exit
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "UDP-ANY" nat src permit log count 
set policy id 4
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "TCP-ANY" nat src permit log count 
set policy id 3
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "DNS" nat src permit log count 
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ICMP-ANY" nat src permit log count 
set policy id 1
exit
set syslog config "172.16.1.51"
set syslog config "172.16.1.51" facilities local0 local0
set syslog config "172.16.1.51" log traffic
set syslog config "172.16.1.51" transport tcp
set syslog src-interface bgroup0/0
set syslog enable
set webtrends host-name "172.16.1.51"
set webtrends enable
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level warning destination console
set log module system level notification destination console
set log module system level information destination console
set log module system level debugging destination console
set log module system level error destination webtrends
set log module system level warning destination webtrends
set log module system level information destination webtrends
set log module system level debugging destination webtrends
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ntp server "64.34.180.101"
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "174.133.44.162"
set ntp server backup1 src-interface "ethernet0/0"
set ntp server backup2 "209.67.219.106"
set ntp server backup2 src-interface "ethernet0/0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
Comment
Question by:cyexx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 24048179
I don't know Juniper, but I deeply suspect your problem lies somewhere around the line which says

set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "DNS" nat src permit log count

0
 

Author Comment

by:cyexx
ID: 24049031
that rule is allow traffic from trusted to untrusted to pull DNS info from the net and was working just fine.  But is not now.

The critical thing is getting the http traffic to work threw the unit
0
 

Author Comment

by:cyexx
ID: 24065482
any ideas on this since I am stumped on this
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 24089818
Any reason for NAT in policies? IMHO it is not needed, and might lead to a double NAT.
0
 

Accepted Solution

by:
cyexx earned 0 total points
ID: 24384451
I found the issue.  The config had lost he gateway line

set gateway ***.***.***.***

this setting fixed the issues.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question