?
Solved

Juniper Netscreen 5GT - Why isn't MIP working?

Posted on 2009-05-01
8
Medium Priority
?
3,172 Views
Last Modified: 2012-06-21
Juniper 5GT - Firmware 5.0.0r8.1 (Firewall + VPN)

We have 2 servers with 2 network connections each with 1 used as the dedicated IP address for the server and the other for use by NLB.
Server 1
10.0.0.10 (Dedicated)
10.0.0.11 (Used for NLB)

Server 2
10.0.0.12 (Dedicated)
10.0.0.13 (Used for NLB)

NLB shared cluster IP address is 10.0.0.14.

Our goal is to setup a new website with IP address say A.B.C.E.  So we want the traffic for our new website to be routed from the firewall to 10.0.0.14.  Right now the untrust interface is bound to 1 of our 13 public IP addresses and lets call it A.B.C.D.  This interface already has a bunch of VIP services setup for use by our other website thats been in place for years now so if I added another VIP services to that VIP it would cause conflict b/c they both would be trying to use the same service (HTTPS).  It would be great if I could just create another VIP for use by the new public IP address (A.B.C.E) but I've tried that and researched and I don't think it's possible.  
So that leads me to MIP.  I setup the firewall with a MIP created within the untrust interface to map A.B.C.E to 10.0.0.14.  Then I created a policy for source "Any" to destination "MIP(A.B.C.E) with service HTTP.  It doesn't work.  I get page cannot be displayed error message when attempting to hit the site.  However it does work perfectly when I change the MIP to map to 10.0.0.10, 10.0.0.11, 10.0.0.12, or 10.0.0.13.

When I have the MIP mapped to 10.0.0.14 and I turn on logging for that policy this is what I get:
Bytes Sent 206 but Bytes Received as 0.  See attached file for more detail.

What could be causing the Bytes Received to be 0??
EE.jpg
0
Comment
Question by:sliknick1028
  • 3
  • 3
  • 2
8 Comments
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 24280108
First, lets see if you can ping the server from the trust interface in the CLI. Use either telnet or SSH depending on your setup.

ping 10.0.0.14 from trust

if we see !!!!! that means the firewall can see it and rout to it. If not, check your internal routing.

next let's check the mip

In the WebUI go to Network > Interfaces and click edit next to untrust.
Then select MIP at the top.
Check your Mapped IP to make sure it is your desired public IP. Also make sure that it is within the range of public IP's that you have availible from your ISP and is not in use elsewhere.
Check the host ip and make sure that it is 10.0.0.14 or whatever the real internal IP is.
Make sure that the netmask is 255.255.255.255 so it just points to one server.
Make sure that the VRouter is the trust-vr, even if you have it set in a DMZ.

Now lets check the policy.
Make the policy going from untrust to trust (untrust to dmz if that is configured).
Make the source "any" and the destination your mip(x.x.x.x) (should be public IP)
In the service choose http and put ping in as well under the multiple button for testing purposes.
choose ok and place the policy at the top of the list. This will pevent it from being interfered with by any other policy and can be slowly brought down the list one at a time to see if any other policies are interfereing with this one.
Now ping the public IP from your computer. If you can ping it, that means the policy is working. If not, remove the policy, the mip, and any other objects you created for this and start again fresh. very rarely, but ocasionally I have seen an issue on the firewall where everything was configured correctly and displaying correctly, however the change was for some reason not taking effect. rebuiling the policy from scratch always fixed it thus far in my expierience.
If you can pimg the server, however you can not get to it by http, check to see if the web page displays from a browser using the internal ip from another computer.
Good Luck
0
 

Author Comment

by:sliknick1028
ID: 24281555
Thank you for the effort ccreamer 22 but I tried everything you said and nothing resolved the problem.
Here were my steps:
1) I was able to ping the internal NLB IP address from a telnet session with the command
ping 10.0.0.4 from trust
I received the !!!!! and it said Success rate is 100% (5/5).

2) All the MIP settings were correct and as you stated.  Netmask is 255.255.255.255.  The public IP address is not in use elsewhere.  VRouter is trust-vr.

3)Policy is correct and as you stated.  I deleted the policy and recreated from stratch and placed it at the top but still no go.  I enabled logging and still the Bytes Received showed as 0.


Now get this, when I go into advanced settings of the policy and enable NAT: Source Translation and choose "None (Use Egress Interface IP)" it works.  I am able to hit the website externally and the logging has Bytes Received shown as some number (not zero)!  BUT, this is not want I want b/c within the application we want to be able to obtain the source public IP address for an additional security check and when NAT: Source Translation is enabled the source IP address is changed to 10.0.0.1 leaving the security check useless.

So why/how is it working with NAT and not without NAT?

Any ideas?  Any other troubleshooting ideas?

Thanks!
0
 
LVL 5

Expert Comment

by:ccreamer_22
ID: 24282480
Remove The MIP and make a DIP. This will creat a virtual MAC address for the policy. Create an object with the same public IP in your trust zone (DMZ if you use one). Create a policy from untrust to trust (DMZ if that is where it is at) use source "any" destination (public IP that you created in your trust (DMZ) zone and http or https for the service. Go to advanced. Under NAT choose Destination Translation. Translate the IP to the internal IP. MAP the port to 80 for http, 443 for https.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 24288677
>>1) I was able to ping the internal NLB IP address from a telnet session with the command
ping 10.0.0.4 from trust

Can you try this ;

ping 10.0.0.4 from untrust and post the results.

It could be a proxy arp issue and I think 5.0 did have some issues, but lets see.

Cheers,
Rajesh

0
 

Author Comment

by:sliknick1028
ID: 24329149
rsivanandan:
sorry for the late response.  When I enter the command:

ping 10.0.0.14 from untrust

I receive "Sending 5, 100-byte ICMP Echos to 10.0.0.14, timeout is 1 seconds from untrust...Success Rate is 0 percent (0/5).

But isn't that what it should be, b/c how is the untrust going to be able to hit the internal 10.0.0.14.  BTW, the address is 10.0.0.14 and not .4.  I had made the original mistake in this post and then responses followed with the same mistake but all my tests have been with the correct IP address.

And also, FYI, I was able to upgrade the firmware to 5.3.0r6.0 and still the same problem exists.

Thanks!
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 1000 total points
ID: 24334596
Can you post your policy configuration here?

Also, from the outside world;

1. Can you ping A.B.C.D
2. Can you do a 'telnet A.B.C.D 80'


Cheers,
Rajesh
0
 
LVL 5

Assisted Solution

by:ccreamer_22
ccreamer_22 earned 1000 total points
ID: 24335913
OK, maybe I need to make this clearer. What I was proposing before was that you open ping in the policy, then ping the external MIP IP address from a computer, not the firewall.. That will tell you if the policy is passing traffic. 10.x.x.x is not routable from the internet since it is a known private IP range and all public routers block it.
0
 

Accepted Solution

by:
sliknick1028 earned 0 total points
ID: 25461929
This was resolved by creating a sticky DIP pool under the Trust interface.  Created 3 seperate MIP's to map 3 public IP address's to 3 internal IP addresses.  Lastly, I created a policy to route the traffic and under advanced -> NAT -> source translation I chose the DIP pool.  Traffic flows correctly now.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question