Different Subnet Networking Issue - Juniper Netscreen 25gt

Hello,

I have a wordpress server on Ubuntu14.04 LTS I want to host out of my office. It has an IP address in our DMZ zone. DMZ zone is 172.25.x.x and the Trust zone (in which all of our DHCP workstations and servers reside) is 10.10.x.x. I have configured our Juniper Netscreen 25gt firewall with a policies to allow all traffic from Trust zone to DMZ zone. I have configured another policy from DMZ to Trust zone to allow all traffic from the wordpress server in DMZ to the trust zone. As far as I can tell, this is configured exactly like another server we have in the DMZ. Problem is, workstations in the Trust zone still cannot see (ping or browser) this wordpress server in the DMZ. It is pingable and web browser accessible on another DMZ server. Any ideas?
LVL 2
kmoloneyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
Sounds like your DMZ is in a different route table than the trust zone. So even having policies allowing traffic may not be enough.

Can you post the output of the following CLI commands

get int
get zone
get route
get policy

of course make sure to sanitize the information so that your ip addresses are not posted to the internet.
Thanks.

If the issue is indeed the route statements, you will need one route in the trust-vr pointing 172.25.x.x/24 to untrust-vr and one route in untrust-vr pointing 10.10.x.x/24 to trust-vr
0
kmoloneyAuthor Commented:
IM sorry, i only use the GUI, i do not even know how to use the CLI.
0
Sanga CollinsSystems AdminCommented:
not a problem. From the gui, go to network > routing >destination and copy and paste your route table here. I'll be able to see if there are missing routes. you want to include the trust-vr and untrust-vr tables.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

kmoloneyAuthor Commented:
table.JPG
0
kmoloneyAuthor Commented:
Also, and a more pressing issue i suppose, i used a mapped IP on the untrust to translate into a private IP on the DMZ. I add a policy from Unstust to DMZ to that particular server to allow ping and http traffic and the public IP will still not ping. It appears to be an identical setup to another server in the DMZ so I am at a loss again.
0
Sanga CollinsSystems AdminCommented:
Ok so it looks like you have several issues that need addressing. I guess the easiest way to look at all of them is by posting your configuration. Of course please sanitize (change public IP address information and replace password hashes with *****) so as to maintain your privacy.
0
kmoloneyAuthor Commented:
Is there some sort of master config file i can print out?
0
Sanga CollinsSystems AdminCommented:
Yes,from the webui by going to Configuration > Update > Config File

you can save the config to a text file.
0
kmoloneyAuthor Commented:
My main issue is translating the ****.98.115 public IP to the internal 172.25.1.10. I have made the MIP and the policy identical to other servers with a similar config, no dice. Been staring at this all day going bug eyed :)

set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Allworx P2P VPN" protocol tcp src-port 1723-1723 dst-port 1333-1333
set service "Terminal Service" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "Unitrends Backup Pro" protocol tcp src-port 1743-1745 dst-port 1743-1745
set service "Allworx" protocol udp src-port 0-65535 dst-port 2088-2088 timeout 30
set service "Allworx" + udp src-port 0-65535 dst-port 5060-5060
set service "Allworx" + udp src-port 0-65535 dst-port 15000-15511
set service "Allworx" + tcp src-port 0-65535 dst-port 8081-8081
set service "Allworx" + tcp src-port 0-65535 dst-port 1823-1823
set service "Allworx" + tcp src-port 0-65535 dst-port 8081-8081
set service "Allworx" + tcp src-port 0-65535 dst-port 25-25
set service "Allworx" + tcp src-port 0-65535 dst-port 110-110
set service "Mc" protocol tcp src-port 25565-25565 dst-port 25565-25565
set service "Mc" + udp src-port 25565-25565 dst-port 25565-25565
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nO8PDprPNALAcSuHFsNA6iOt1UFhVn"
set admin scs password disable username netscreen
set admin auth timeout 1000
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "PCE"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
unset zone "PCE" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "V1-Untrust" screen alarm-without-drop
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "ethernet4" zone "PCE"
set interface "tunnel.1" zone "Trust"
set interface "tunnel.2" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.0.4/16
set interface ethernet1 route
set interface ethernet2 ip 172.25.1.1/24
set interface ethernet2 nat
set interface ethernet3 ip *******/27
set interface ethernet3 nat
set interface ethernet4 ip 172.10.1.0/24
set interface ethernet4 route
set interface tunnel.1 ip unnumbered interface ethernet3
set interface tunnel.2 ip unnumbered interface ethernet3
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet4 manage-ip 172.10.1.1
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet4 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface ethernet4 manage ping
set interface "ethernet3" mip ****.98.99 host 10.10.2.16 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.100 host 172.25.1.3 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.104 host 10.10.5.100 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.103 host 172.25.1.5 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.112 host 10.15.1.100 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.106 host 10.10.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.107 host 10.11.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.108 host 10.12.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.109 host 10.15.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.105 host 172.25.1.6 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.110 host 10.14.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.111 host 10.13.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.101 host 172.25.1.2 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.113 host 10.10.2.8 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.115 host 172.25.1.10 netmask 255.255.255.255 vrouter "trust-vr"
set domain trainingandtreatment.local
set hostname ns25
set dns host dns1 64.186.63.132
set dns host dns2 64.141.177.150
set address "Trust" "10.10.0.0/16" 10.10.0.0 255.255.0.0
set address "Trust" "10.10.0.3/32" 10.10.0.3 255.255.255.255
set address "Trust" "10.10.2.14/32" 10.10.2.14 255.255.255.255
set address "Trust" "10.10.2.254/16" 10.10.2.254 255.255.0.0
set address "Trust" "172.16.10.0/24" 172.16.10.0 255.255.255.0
set address "Trust" "Flint-Network" 10.12.0.0 255.255.0.0
set address "Trust" "Saginaw Security Cameras" 10.15.1.100 255.255.0.0
set address "Trust" "Saginaw-Network" 10.15.0.0 255.255.0.0
set address "Trust" "TTI NET" 10.10.0.0 255.255.0.0
set address "Trust" "TTI-BACKUP1" 10.10.2.254 255.255.255.255
set address "Trust" "TTI-BACKUP2" 10.11.2.254 255.255.0.0
set address "Trust" "TTI-MAIL" 10.10.2.11 255.255.255.255
set address "Trust" "Video Conference Cart" 10.10.5.100 255.255.0.0
set address "Untrust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set address "Untrust" "10.18.0.0/16" 10.18.0.0 255.255.0.0
set address "Untrust" "173.14.34.160/255.255.255.248" 173.14.34.160 255.255.255.248
set address "Untrust" "24.99.0.0/255.255.0.0" 24.99.0.0 255.255.0.0
set address "Untrust" "61.174.51.228/1" 61.174.51.228 128.0.0.0
set address "Untrust" "CALL DVS" 206.0.0.0 255.0.0.0
set address "Untrust" "HOME NET" 10.100.7.0 255.255.255.0
set address "Untrust" "JAC NET" 10.18.0.0 255.255.0.0
set address "Untrust" "JAC Wireless NET" 10.19.0.0 255.255.0.0
set address "Untrust" "WAT NET" 10.16.0.0 255.255.0.0
set address "V1-Trust" "10.10.5.100/16" 10.10.5.100 255.255.0.0
set address "DMZ" "172.25.1.10/32" 172.25.1.10 255.255.255.255
set address "DMZ" "172.25.1.3/255.255.255.255" 172.25.1.3 255.255.255.255
set address "DMZ" "TTI-CSG" 172.25.1.6 255.255.255.255 "Citrix Secure Gateway Server"
set address "DMZ" "TTI-EDGE1" 172.25.1.2 255.255.255.255 "Exchange Edge Server"
set address "DMZ" "TTI-OWA" 172.25.1.5 255.255.255.255 "Outlook Web Access Server"
set address "DMZ" "TTI-ZIX" 172.25.1.3 255.255.255.255 "ZIX Gateway"
set address "DMZ" "ttiweb" 172.25.1.10 255.255.255.255 "tti homepage"
set address "PCE" "PCETTI" 172.16.225.0 255.255.255.0
set address "PCE" "PCETTI-10.1.1.0" 10.1.1.0 255.255.255.0
set ike gateway "HOME Gate" address 71.65.0.214 Main outgoing-interface "ethernet3" preshare "Lrfjna6/NqZ/5lszGbC3je7Kc7nywDKmWA==" sec-level standard
set ike gateway "HOME Gate" cert peer-ca all
set ike gateway "JAC GATE" address 69.2.16.130 Main outgoing-interface "ethernet3" preshare "91CHq+RsNsoWs9s0ftC0xjKU63nPZB17vg==" sec-level standard
set ike gateway "JAC GATE" cert peer-ca all
set ike gateway "Gateway for WAT NET" address 173.14.34.161 Main outgoing-interface "ethernet3" preshare "WcjexpYMNuO7b4sWiUCGRFDQV6nUpIFDpA==" proposal "pre-g2-aes128-sha"

"pre-g2-aes128-sha"
set ike gateway "Gateway for WAT NET" cert peer-ca all
set ike gateway "Jackson Dynamic" address 0.0.0.0 id "wp.comcast.net" Aggr outgoing-interface "ethernet3" preshare "HObpmfHHN/Ri57sbX9CVX7U89TnyoX2ugmiQDkPQiM5z+pZ1k2zU054="

proposal "pre-g2-3des-sha"
unset ike gateway "Jackson Dynamic" nat-traversal udp-checksum
set ike gateway "Jackson Dynamic" nat-traversal keepalive-frequency 0
set ike respond-bad-spi 1
set ike gateway "Gateway for WAT NET" heartbeat hello 5
set ike gateway "Gateway for WAT NET" heartbeat reconnect 60
set vpn "HOME VPN" gateway "HOME Gate" no-replay tunnel idletime 0 sec-level standard
set vpn "JAC VPN" gateway "JAC GATE" no-replay tunnel idletime 0 sec-level standard
set vpn "VPN for WAT NET" gateway "Gateway for WAT NET" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"  "g2-esp-aes128-sha"
set vpn "VPN for WAT NET" monitor source-interface ethernet1 destination-ip 10.16.0.1 optimized rekey
set vpn "VPN for WAT NET" id 6 bind interface tunnel.1
set vpn "Jackson VPN" gateway "Jackson Dynamic" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Jackson VPN" monitor
set vpn "Jackson VPN" id 7 bind interface tunnel.2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "Michigan"
set pki x509 dn local-name "Oakland"
set pki x509 dn org-name "TTI inc"
set pki x509 dn name "ttifw.ttiinc.org"
set pki x509 dn email "administrator@ttiinc.org"
set pki x509 dn ip "****.98.98"
set pki x509 cert-fqdn ttifw.ttiinc.org
set group address "Trust" "Remote-Networks"
set group address "Trust" "Remote-Networks" add "Flint-Network"
set group address "Trust" "Remote-Networks" add "Saginaw-Network"
set policy id 72 name "Jackson vpns" from "Untrust" to "Trust"  "10.18.0.0/16" "10.10.0.0/16" "ANY" permit
set policy id 71 name "Jacksin" from "Trust" to "Untrust"  "10.10.0.0/16" "10.18.0.0/16" "ANY" permit log
set policy id 61 from "Trust" to "Untrust"  "TTI NET" "WAT NET" "ANY" permit
set policy id 57 from "Untrust" to "DMZ"  "0.0.0.0/0" "MIP(****.98.105)" "HTTP" permit
set policy id 57
set service "HTTPS"
exit
set policy id 55 from "DMZ" to "Trust"  "TTI-CSG" "Any" "ANY" permit
set policy id 44 from "Trust" to "Untrust"  "TTI NET" "HOME NET" "ANY" tunnel vpn "HOME VPN" id 3 pair-policy 33
set policy id 39 from "Untrust" to "DMZ"  "0.0.0.0/0" "MIP(****.98.103)" "HTTP" permit
set policy id 39
set service "HTTPS"
set service "PING"
exit
set policy id 33 from "Untrust" to "Trust"  "HOME NET" "TTI NET" "ANY" tunnel vpn "HOME VPN" id 3 pair-policy 44
set policy id 38 from "Untrust" to "Trust"  "Any" "MIP(****.98.99)" "HTTP" permit
set policy id 38
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 37 from "DMZ" to "Trust"  "TTI-OWA" "Any" "ANY" permit
set policy id 26 from "Trust" to "Untrust"  "Remote-Networks" "Any" "ANY" nat src permit
set policy id 26 disable
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit
set policy id 4 from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 9 from "DMZ" to "Trust"  "Any" "Any" "SSH" permit
set policy id 10 from "Trust" to "DMZ"  "Any" "Any" "ANY" permit
set policy id 22 from "Untrust" to "DMZ"  "Any" "MIP(****.98.100)" "DNS" permit
set policy id 22
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 25 name "Video Conference Cart" from "Untrust" to "Trust"  "Any" "MIP(****.98.104)" "ANY" permit
set policy id 40 from "Untrust" to "Trust"  "Any" "MIP(****.98.112)" "ANY" permit
set policy id 51 from "Untrust" to "Trust"  "Any" "MIP(****.98.106)" "Allworx" permit
set policy id 51
set service "PING"
set service "PPTP"
exit
set policy id 51 disable
set policy id 52 from "Untrust" to "Trust"  "Any" "MIP(****.98.107)" "Allworx" permit
set policy id 52
set service "PING"
set service "PPTP"
exit
set policy id 52 disable
set policy id 53 from "Untrust" to "Trust"  "Any" "MIP(****.98.108)" "Allworx" permit
set policy id 53
set service "PING"
set service "PPTP"
exit
set policy id 53 disable
set policy id 54 from "Untrust" to "Trust"  "Any" "MIP(****.98.109)" "Allworx" permit
set policy id 54
set service "PING"
set service "PPTP"
exit
set policy id 54 disable
set policy id 58 from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log
set policy id 59 from "DMZ" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 59 disable
set policy id 60 name "Unitrends Support" from "Trust" to "Untrust"  "10.10.2.254/16" "0.0.0.0/0" "ANY" permit
set policy id 63 from "DMZ" to "Trust"  "TTI-ZIX" "Any" "ANY" permit
set policy id 64 from "Untrust" to "Trust"  "Any" "MIP(****.98.110)" "Allworx" permit
set policy id 64
set service "PING"
set service "PPTP"
exit
set policy id 64 disable
set policy id 65 name "Allow all" from "Trust" to "PCE"  "Any" "Any" "FTP" permit
set policy id 65
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "TCP-ANY"
exit
set policy id 66 name "Alow all" from "PCE" to "Trust"  "Any" "Any" "FTP" permit
set policy id 66
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "TCP-ANY"
exit
set policy id 67 name "BSL Allworx" from "Untrust" to "Trust"  "Any" "MIP(****.98.111)" "Allworx" permit
set policy id 67
set service "PING"
set service "PPTP"
exit
set policy id 67 disable
set policy id 68 from "DMZ" to "Trust"  "TTI-EDGE1" "Any" "ANY" permit
set policy id 69 from "Untrust" to "DMZ"  "Any" "MIP(****.98.101)" "HTTP" permit
set policy id 69
set service "HTTPS"
set service "ICMP-ANY"
set service "MAIL"
exit
set policy id 70 from "Untrust" to "Trust"  "Any" "MIP(****.98.113)" "HTTP" permit
set policy id 70
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 73 name "spoofer" from "Untrust" to "Trust"  "61.174.51.228/1" "10.10.0.0/16" "ANY" deny
set policy id 77 name "ttiweb" from "DMZ" to "Trust"  "ttiweb" "Any" "ANY" permit
set policy id 78 name "TTI-WEB" from "Untrust" to "DMZ"  "Any" "MIP(****.98.115)" "HTTP" permit
set policy id 78
set service "PING"
exit
set vpn "VPN for WAT NET" proxy-id local-ip 10.10.0.0/16 remote-ip 10.16.0.0/16 "ANY"
set vpn "Jackson VPN" proxy-id local-ip 10.10.0.0/16 remote-ip 10.18.0.0/16 "ANY"
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set ssl encrypt des sha-1
set ntp server "192.43.244.18"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp community "Manage" Read-Write Trap-on  traffic version v2c
set snmp host "Manage" 206.0.0.0 255.0.0.0 src-interface ethernet3
set snmp host "Manage" 24.0.0.0 255.0.0.0 src-interface ethernet3
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route  10.18.0.0/16 interface tunnel.2
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface ethernet3 gateway ****.98.97
set route  10.11.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.12.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  192.168.237.1/32 interface ethernet1 gateway 10.10.100.254
set route  10.16.0.0/16 interface ethernet3
set route  10.14.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  172.16.225.0/24 interface ethernet4 gateway 172.10.1.2
set route  10.13.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.15.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.18.0.0/16 interface tunnel.2
exit
0
Sanga CollinsSystems AdminCommented:
OK couple of items to change. Interfaces in the trust zone should be in NAT mode instead of route mode. Change this by going to network > interfaces > edit for the interface in question and choose NAT instead of route.

2nd item. In MIP policies. The source address should be "ANY" instead of (0.0.0.0/0)

Which was theMIP that you created that was giving you trouble?
0
kmoloneyAuthor Commented:
I am a little hesitant to change routing for the trust zone as i could potentially bring my whole 250 user network down :(. This was configured by the former admin and i fear i may hose other things by doing that (unless you are certain). The MIP that is giving me issues is the ****.98.115 (which maps to the 172.25.1.10 DMZ IP).
0
kmoloneyAuthor Commented:
Any other ideas?
0
Sanga CollinsSystems AdminCommented:
Yes, sorry for the late reply.

In your policies you have a lot of rules that are causing some issues. namely

set policy id 58 from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log

will block any policy that comes after it such as

set policy id 78 name "TTI-WEB" from "Untrust" to "DMZ"  "Any" "MIP(****.98.115)" "HTTP" permit

I recommend having only 1 deny policy from global to global with deny and logging set so that when traffic is not making it to a device there is only one log you need to check for issues :)
0
kmoloneyAuthor Commented:
I certainly see how that could be an issue, however when i remove the policy denying any to any (untrust to DMZ) i still cannot get a ping or browser to MIP(****.98.115)! :(
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
As a first troubleshooting step, I recommend to enable session logging on policy 78, and put it on top of any other rules for Untrust to DMZ. Then test access from outside (!) of your network.
If you test from inside, you need (at least) a corresponding policy from your zone to Untrust with the MIP as destination.
0
Sanga CollinsSystems AdminCommented:
Hi Kmoloney.

I went ahead and dumped your config into an ns204 for testing. Added logging to policy 78 and initiated a ping from the outside network. Traffic does get logged in the policy so something else is going on with the internal routing on the device. I am going to trouble shoot a few more things and report back.

014-08-19 07:03:56      10.8.3.10:76      74.204.98.115:31888      10.8.3.10:76      172.25.1.10:31888      ICMP      59 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:56      10.8.3.10:75      74.204.98.115:31888      10.8.3.10:75      172.25.1.10:31888      ICMP      60 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:54      10.8.3.10:73      74.204.98.115:31888      10.8.3.10:73      172.25.1.10:31888      ICMP      60 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:54      10.8.3.10:74      74.204.98.115:31888      10.8.3.10:74      172.25.1.10:31888      ICMP      59 sec.      102      0      Close - AGE OUT
0
Sanga CollinsSystems AdminCommented:
Sorry I forgot to post the results from  debug flow basic

****** 06099.0: <Untrust/ethernet3> packet received [84]******

  ipid = 58810(e5ba), @d7851110

  packet passed sanity check.

  ethernet3:10.8.3.10/1->74.204.98.115/31878,1(8/0)<Root>

  no session found

  flow_first_sanity_check: in <ethernet3>, out <N/A>

  chose interface ethernet3 as incoming nat if.

  flow_first_routing: in <ethernet3>, out <N/A>

  search route to (ethernet3, 10.8.3.10->172.25.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null

  [ Dest] 8.route 172.25.1.10->0.0.0.0, to ethernet2

  routed (x_dst_ip 172.25.1.10) from ethernet3 (ethernet3 in 0) to ethernet2 

  policy search from zone 1-> zone 3

 policy_flow_search  policy search nat_crt from zone 1-> zone 10

  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.204.98.115, port 24810, proto 1)

  No SW RPC rule match, search HW rule

  Permitted by policy 78

  No src xlate   choose interface ethernet2 as outgoing phy if

  no loop on ifp ethernet2.

  session application type 0, name None, nas_id 0, timeout 60sec

  service lookup identified service 0.

  flow_first_final_check: in <ethernet3>, out <ethernet2>

  existing vector list 1-6652fa0.

  Session (id:128063) created for first pak 1

  flow_first_install_session======>

  route to 172.25.1.10

  arp entry found for 172.25.1.10

  nsp2 wing prepared, ready

  cache mac in the session

  make_nsp_ready_no_resolve()

  search route to (ethernet2, 172.25.1.10->10.8.3.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet3

  [ Dest] 5.route 10.8.3.10->74.204.98.97, to ethernet3

  route to 74.204.98.97

  flow got session.

  flow session id 128063

  post addr xlation: 10.8.3.10->172.25.1.10.

 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sanga, what was your ffilter for the debug? Did you incude the DMZ address?
0
Sanga CollinsSystems AdminCommented:
Hi Qlemo,

I used the following filter: set ffilter src-ip 10.8.3.10 dst-ip 74.204.98.115

My test server is 10.8.3.10. that is the source IP on the on the WAN side
0
kmoloneyAuthor Commented:
Thanks a ton for helping me out with this guys. I will add the only services i have currently allowed to see the .115 address are PING, HTTP, and HTTPS. Let me know if i need to open up additional ports for testing purposes.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sanga, that explains why we do not see more. We would need to see traffic to the DMZ address, too, so need another ffilter with the DMZ address as dst-ip.
0
Sanga CollinsSystems AdminCommented:
I see what your are saying. Should I use the following instead

set ffilter src-ip 10.8.3.10 dst-ip 172.25.1.10?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Not sure what the source IP will be with all that NAT, but according to the policy traffic log, yes.
It should not hurt to be less restrictive, i.e. only specify the dst-ip.
0
Sanga CollinsSystems AdminCommented:
I setup the filter with just dst-ip = 172.25.1.10 the results from the debug are hard for me to decipher. It feels like something is missing.

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22694(58a6), @d783e110
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22695(58a7), @d783e910
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22696(58a8), @d783f110
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
23.49.56.9? And the packet originates from DMZ, but should that have as target zone/network ...
0
Sanga CollinsSystems AdminCommented:
Thats exactly what I was thinking! I checked my connected networks and the config again. I do not see 23.49.56.9 referenced anywhere.
0
Sanga CollinsSystems AdminCommented:
Looks like that IP address was from leaving cnn.com open on the laptop i connected to act as 172.25.1.10. I have closed the browser and ran another debug session. This time gave different results.

get ffilter
Flow filter based on:
id:0 dst ip 172.25.1.10 
ns25-> debug flow basic
ns25-> clear db
ns25->  All debug off
ns25-> get db str

****** 16032.0: <DMZ/ethernet2> packet received [106]******
  ipid = 24190(5e7e), @d7826910
  packet passed sanity check.
  ethernet2:172.25.1.10/55634->192.168.1.6/161,17<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 24
  flow got session.
  flow session id 128044
  post addr xlation: 74.204.98.115->192.168.1.6.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 16032.0: <DMZ/ethernet2> packet received [106]******
  ipid = 24191(5e7f), @d7827110
  packet passed sanity check.
  ethernet2:172.25.1.10/55634->192.168.1.6/161,17<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 24
  flow got session.
  flow session id 128044
  post addr xlation: 74.204.98.115->192.168.1.6.
 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
That's SNMP ...
0
Sanga CollinsSystems AdminCommented:
Not sure what else to look at. In the logs I can clearly see traffic registered and accepted for the MIP, but after that, it just seems to disappear. I haven't added anything to the config posted except for enable logging on all the MIPs. I will take a few moments away from it and come back for a fresh look that hopefully will allow me to spot the issues.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kmoloneyAuthor Commented:
OK, well this was one of the dumbest things ever. When i moved the VM from my internal subnet to the DMZ subnet i forgot to change the NIC to the DMZ nic in the vSphere client o.O. I did that and it worked right away. Sorry to have wasted your time and thank you VERY much for the advanced troubleshooting. It's people like you that restore faith to the human race.
0
Sanga CollinsSystems AdminCommented:
Hi Kmoloney!!

I can safely admit that I have done the Exact Same Thing!!! I have VLAN tags on my Juniper EX3200 to separate different zones and on at least 2 occasions I have moved VM's without changing the NIC and spent hours trying to figure out what went wrong :)

BTW in my test environment I had to enable ping on my windows 7 laptop and now the MIP works. I was only testing ICMP and didnt notice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.