?
Solved

Different Subnet Networking Issue - Juniper Netscreen 25gt

Posted on 2014-08-08
31
Medium Priority
?
709 Views
Last Modified: 2014-08-21
Hello,

I have a wordpress server on Ubuntu14.04 LTS I want to host out of my office. It has an IP address in our DMZ zone. DMZ zone is 172.25.x.x and the Trust zone (in which all of our DHCP workstations and servers reside) is 10.10.x.x. I have configured our Juniper Netscreen 25gt firewall with a policies to allow all traffic from Trust zone to DMZ zone. I have configured another policy from DMZ to Trust zone to allow all traffic from the wordpress server in DMZ to the trust zone. As far as I can tell, this is configured exactly like another server we have in the DMZ. Problem is, workstations in the Trust zone still cannot see (ping or browser) this wordpress server in the DMZ. It is pingable and web browser accessible on another DMZ server. Any ideas?
0
Comment
Question by:kmoloney
  • 15
  • 10
  • 6
31 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40249115
Sounds like your DMZ is in a different route table than the trust zone. So even having policies allowing traffic may not be enough.

Can you post the output of the following CLI commands

get int
get zone
get route
get policy

of course make sure to sanitize the information so that your ip addresses are not posted to the internet.
Thanks.

If the issue is indeed the route statements, you will need one route in the trust-vr pointing 172.25.x.x/24 to untrust-vr and one route in untrust-vr pointing 10.10.x.x/24 to trust-vr
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40249493
IM sorry, i only use the GUI, i do not even know how to use the CLI.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40249503
not a problem. From the gui, go to network > routing >destination and copy and paste your route table here. I'll be able to see if there are missing routes. you want to include the trust-vr and untrust-vr tables.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
LVL 2

Author Comment

by:kmoloney
ID: 40249513
table.JPG
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40249515
Also, and a more pressing issue i suppose, i used a mapped IP on the untrust to translate into a private IP on the DMZ. I add a policy from Unstust to DMZ to that particular server to allow ping and http traffic and the public IP will still not ping. It appears to be an identical setup to another server in the DMZ so I am at a loss again.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40249589
Ok so it looks like you have several issues that need addressing. I guess the easiest way to look at all of them is by posting your configuration. Of course please sanitize (change public IP address information and replace password hashes with *****) so as to maintain your privacy.
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40249607
Is there some sort of master config file i can print out?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40249608
Yes,from the webui by going to Configuration > Update > Config File

you can save the config to a text file.
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40249623
My main issue is translating the ****.98.115 public IP to the internal 172.25.1.10. I have made the MIP and the policy identical to other servers with a similar config, no dice. Been staring at this all day going bug eyed :)

set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Allworx P2P VPN" protocol tcp src-port 1723-1723 dst-port 1333-1333
set service "Terminal Service" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "Unitrends Backup Pro" protocol tcp src-port 1743-1745 dst-port 1743-1745
set service "Allworx" protocol udp src-port 0-65535 dst-port 2088-2088 timeout 30
set service "Allworx" + udp src-port 0-65535 dst-port 5060-5060
set service "Allworx" + udp src-port 0-65535 dst-port 15000-15511
set service "Allworx" + tcp src-port 0-65535 dst-port 8081-8081
set service "Allworx" + tcp src-port 0-65535 dst-port 1823-1823
set service "Allworx" + tcp src-port 0-65535 dst-port 8081-8081
set service "Allworx" + tcp src-port 0-65535 dst-port 25-25
set service "Allworx" + tcp src-port 0-65535 dst-port 110-110
set service "Mc" protocol tcp src-port 25565-25565 dst-port 25565-25565
set service "Mc" + udp src-port 25565-25565 dst-port 25565-25565
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "nO8PDprPNALAcSuHFsNA6iOt1UFhVn"
set admin scs password disable username netscreen
set admin auth timeout 1000
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "PCE"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
unset zone "PCE" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "V1-Untrust" screen alarm-without-drop
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "ethernet4" zone "PCE"
set interface "tunnel.1" zone "Trust"
set interface "tunnel.2" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.0.4/16
set interface ethernet1 route
set interface ethernet2 ip 172.25.1.1/24
set interface ethernet2 nat
set interface ethernet3 ip *******/27
set interface ethernet3 nat
set interface ethernet4 ip 172.10.1.0/24
set interface ethernet4 route
set interface tunnel.1 ip unnumbered interface ethernet3
set interface tunnel.2 ip unnumbered interface ethernet3
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet4 manage-ip 172.10.1.1
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet4 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface ethernet4 manage ping
set interface "ethernet3" mip ****.98.99 host 10.10.2.16 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.100 host 172.25.1.3 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.104 host 10.10.5.100 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.103 host 172.25.1.5 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.112 host 10.15.1.100 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.106 host 10.10.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.107 host 10.11.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.108 host 10.12.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.109 host 10.15.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.105 host 172.25.1.6 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.110 host 10.14.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.111 host 10.13.100.254 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.101 host 172.25.1.2 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.113 host 10.10.2.8 netmask 255.255.255.255 vrouter "trust-vr"
set interface "ethernet3" mip ****.98.115 host 172.25.1.10 netmask 255.255.255.255 vrouter "trust-vr"
set domain trainingandtreatment.local
set hostname ns25
set dns host dns1 64.186.63.132
set dns host dns2 64.141.177.150
set address "Trust" "10.10.0.0/16" 10.10.0.0 255.255.0.0
set address "Trust" "10.10.0.3/32" 10.10.0.3 255.255.255.255
set address "Trust" "10.10.2.14/32" 10.10.2.14 255.255.255.255
set address "Trust" "10.10.2.254/16" 10.10.2.254 255.255.0.0
set address "Trust" "172.16.10.0/24" 172.16.10.0 255.255.255.0
set address "Trust" "Flint-Network" 10.12.0.0 255.255.0.0
set address "Trust" "Saginaw Security Cameras" 10.15.1.100 255.255.0.0
set address "Trust" "Saginaw-Network" 10.15.0.0 255.255.0.0
set address "Trust" "TTI NET" 10.10.0.0 255.255.0.0
set address "Trust" "TTI-BACKUP1" 10.10.2.254 255.255.255.255
set address "Trust" "TTI-BACKUP2" 10.11.2.254 255.255.0.0
set address "Trust" "TTI-MAIL" 10.10.2.11 255.255.255.255
set address "Trust" "Video Conference Cart" 10.10.5.100 255.255.0.0
set address "Untrust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set address "Untrust" "10.18.0.0/16" 10.18.0.0 255.255.0.0
set address "Untrust" "173.14.34.160/255.255.255.248" 173.14.34.160 255.255.255.248
set address "Untrust" "24.99.0.0/255.255.0.0" 24.99.0.0 255.255.0.0
set address "Untrust" "61.174.51.228/1" 61.174.51.228 128.0.0.0
set address "Untrust" "CALL DVS" 206.0.0.0 255.0.0.0
set address "Untrust" "HOME NET" 10.100.7.0 255.255.255.0
set address "Untrust" "JAC NET" 10.18.0.0 255.255.0.0
set address "Untrust" "JAC Wireless NET" 10.19.0.0 255.255.0.0
set address "Untrust" "WAT NET" 10.16.0.0 255.255.0.0
set address "V1-Trust" "10.10.5.100/16" 10.10.5.100 255.255.0.0
set address "DMZ" "172.25.1.10/32" 172.25.1.10 255.255.255.255
set address "DMZ" "172.25.1.3/255.255.255.255" 172.25.1.3 255.255.255.255
set address "DMZ" "TTI-CSG" 172.25.1.6 255.255.255.255 "Citrix Secure Gateway Server"
set address "DMZ" "TTI-EDGE1" 172.25.1.2 255.255.255.255 "Exchange Edge Server"
set address "DMZ" "TTI-OWA" 172.25.1.5 255.255.255.255 "Outlook Web Access Server"
set address "DMZ" "TTI-ZIX" 172.25.1.3 255.255.255.255 "ZIX Gateway"
set address "DMZ" "ttiweb" 172.25.1.10 255.255.255.255 "tti homepage"
set address "PCE" "PCETTI" 172.16.225.0 255.255.255.0
set address "PCE" "PCETTI-10.1.1.0" 10.1.1.0 255.255.255.0
set ike gateway "HOME Gate" address 71.65.0.214 Main outgoing-interface "ethernet3" preshare "Lrfjna6/NqZ/5lszGbC3je7Kc7nywDKmWA==" sec-level standard
set ike gateway "HOME Gate" cert peer-ca all
set ike gateway "JAC GATE" address 69.2.16.130 Main outgoing-interface "ethernet3" preshare "91CHq+RsNsoWs9s0ftC0xjKU63nPZB17vg==" sec-level standard
set ike gateway "JAC GATE" cert peer-ca all
set ike gateway "Gateway for WAT NET" address 173.14.34.161 Main outgoing-interface "ethernet3" preshare "WcjexpYMNuO7b4sWiUCGRFDQV6nUpIFDpA==" proposal "pre-g2-aes128-sha"

"pre-g2-aes128-sha"
set ike gateway "Gateway for WAT NET" cert peer-ca all
set ike gateway "Jackson Dynamic" address 0.0.0.0 id "wp.comcast.net" Aggr outgoing-interface "ethernet3" preshare "HObpmfHHN/Ri57sbX9CVX7U89TnyoX2ugmiQDkPQiM5z+pZ1k2zU054="

proposal "pre-g2-3des-sha"
unset ike gateway "Jackson Dynamic" nat-traversal udp-checksum
set ike gateway "Jackson Dynamic" nat-traversal keepalive-frequency 0
set ike respond-bad-spi 1
set ike gateway "Gateway for WAT NET" heartbeat hello 5
set ike gateway "Gateway for WAT NET" heartbeat reconnect 60
set vpn "HOME VPN" gateway "HOME Gate" no-replay tunnel idletime 0 sec-level standard
set vpn "JAC VPN" gateway "JAC GATE" no-replay tunnel idletime 0 sec-level standard
set vpn "VPN for WAT NET" gateway "Gateway for WAT NET" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"  "g2-esp-aes128-sha"
set vpn "VPN for WAT NET" monitor source-interface ethernet1 destination-ip 10.16.0.1 optimized rekey
set vpn "VPN for WAT NET" id 6 bind interface tunnel.1
set vpn "Jackson VPN" gateway "Jackson Dynamic" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Jackson VPN" monitor
set vpn "Jackson VPN" id 7 bind interface tunnel.2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "Michigan"
set pki x509 dn local-name "Oakland"
set pki x509 dn org-name "TTI inc"
set pki x509 dn name "ttifw.ttiinc.org"
set pki x509 dn email "administrator@ttiinc.org"
set pki x509 dn ip "****.98.98"
set pki x509 cert-fqdn ttifw.ttiinc.org
set group address "Trust" "Remote-Networks"
set group address "Trust" "Remote-Networks" add "Flint-Network"
set group address "Trust" "Remote-Networks" add "Saginaw-Network"
set policy id 72 name "Jackson vpns" from "Untrust" to "Trust"  "10.18.0.0/16" "10.10.0.0/16" "ANY" permit
set policy id 71 name "Jacksin" from "Trust" to "Untrust"  "10.10.0.0/16" "10.18.0.0/16" "ANY" permit log
set policy id 61 from "Trust" to "Untrust"  "TTI NET" "WAT NET" "ANY" permit
set policy id 57 from "Untrust" to "DMZ"  "0.0.0.0/0" "MIP(****.98.105)" "HTTP" permit
set policy id 57
set service "HTTPS"
exit
set policy id 55 from "DMZ" to "Trust"  "TTI-CSG" "Any" "ANY" permit
set policy id 44 from "Trust" to "Untrust"  "TTI NET" "HOME NET" "ANY" tunnel vpn "HOME VPN" id 3 pair-policy 33
set policy id 39 from "Untrust" to "DMZ"  "0.0.0.0/0" "MIP(****.98.103)" "HTTP" permit
set policy id 39
set service "HTTPS"
set service "PING"
exit
set policy id 33 from "Untrust" to "Trust"  "HOME NET" "TTI NET" "ANY" tunnel vpn "HOME VPN" id 3 pair-policy 44
set policy id 38 from "Untrust" to "Trust"  "Any" "MIP(****.98.99)" "HTTP" permit
set policy id 38
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 37 from "DMZ" to "Trust"  "TTI-OWA" "Any" "ANY" permit
set policy id 26 from "Trust" to "Untrust"  "Remote-Networks" "Any" "ANY" nat src permit
set policy id 26 disable
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit
set policy id 4 from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 9 from "DMZ" to "Trust"  "Any" "Any" "SSH" permit
set policy id 10 from "Trust" to "DMZ"  "Any" "Any" "ANY" permit
set policy id 22 from "Untrust" to "DMZ"  "Any" "MIP(****.98.100)" "DNS" permit
set policy id 22
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 25 name "Video Conference Cart" from "Untrust" to "Trust"  "Any" "MIP(****.98.104)" "ANY" permit
set policy id 40 from "Untrust" to "Trust"  "Any" "MIP(****.98.112)" "ANY" permit
set policy id 51 from "Untrust" to "Trust"  "Any" "MIP(****.98.106)" "Allworx" permit
set policy id 51
set service "PING"
set service "PPTP"
exit
set policy id 51 disable
set policy id 52 from "Untrust" to "Trust"  "Any" "MIP(****.98.107)" "Allworx" permit
set policy id 52
set service "PING"
set service "PPTP"
exit
set policy id 52 disable
set policy id 53 from "Untrust" to "Trust"  "Any" "MIP(****.98.108)" "Allworx" permit
set policy id 53
set service "PING"
set service "PPTP"
exit
set policy id 53 disable
set policy id 54 from "Untrust" to "Trust"  "Any" "MIP(****.98.109)" "Allworx" permit
set policy id 54
set service "PING"
set service "PPTP"
exit
set policy id 54 disable
set policy id 58 from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log
set policy id 59 from "DMZ" to "Trust"  "Any" "Any" "ANY" deny log
set policy id 59 disable
set policy id 60 name "Unitrends Support" from "Trust" to "Untrust"  "10.10.2.254/16" "0.0.0.0/0" "ANY" permit
set policy id 63 from "DMZ" to "Trust"  "TTI-ZIX" "Any" "ANY" permit
set policy id 64 from "Untrust" to "Trust"  "Any" "MIP(****.98.110)" "Allworx" permit
set policy id 64
set service "PING"
set service "PPTP"
exit
set policy id 64 disable
set policy id 65 name "Allow all" from "Trust" to "PCE"  "Any" "Any" "FTP" permit
set policy id 65
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "TCP-ANY"
exit
set policy id 66 name "Alow all" from "PCE" to "Trust"  "Any" "Any" "FTP" permit
set policy id 66
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "TCP-ANY"
exit
set policy id 67 name "BSL Allworx" from "Untrust" to "Trust"  "Any" "MIP(****.98.111)" "Allworx" permit
set policy id 67
set service "PING"
set service "PPTP"
exit
set policy id 67 disable
set policy id 68 from "DMZ" to "Trust"  "TTI-EDGE1" "Any" "ANY" permit
set policy id 69 from "Untrust" to "DMZ"  "Any" "MIP(****.98.101)" "HTTP" permit
set policy id 69
set service "HTTPS"
set service "ICMP-ANY"
set service "MAIL"
exit
set policy id 70 from "Untrust" to "Trust"  "Any" "MIP(****.98.113)" "HTTP" permit
set policy id 70
set service "HTTPS"
set service "MAIL"
set service "PING"
exit
set policy id 73 name "spoofer" from "Untrust" to "Trust"  "61.174.51.228/1" "10.10.0.0/16" "ANY" deny
set policy id 77 name "ttiweb" from "DMZ" to "Trust"  "ttiweb" "Any" "ANY" permit
set policy id 78 name "TTI-WEB" from "Untrust" to "DMZ"  "Any" "MIP(****.98.115)" "HTTP" permit
set policy id 78
set service "PING"
exit
set vpn "VPN for WAT NET" proxy-id local-ip 10.10.0.0/16 remote-ip 10.16.0.0/16 "ANY"
set vpn "Jackson VPN" proxy-id local-ip 10.10.0.0/16 remote-ip 10.18.0.0/16 "ANY"
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set ssl encrypt des sha-1
set ntp server "192.43.244.18"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp community "Manage" Read-Write Trap-on  traffic version v2c
set snmp host "Manage" 206.0.0.0 255.0.0.0 src-interface ethernet3
set snmp host "Manage" 24.0.0.0 255.0.0.0 src-interface ethernet3
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route  10.18.0.0/16 interface tunnel.2
exit
set vrouter "trust-vr"
unset add-default-route
set route  0.0.0.0/0 interface ethernet3 gateway ****.98.97
set route  10.11.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.12.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  192.168.237.1/32 interface ethernet1 gateway 10.10.100.254
set route  10.16.0.0/16 interface ethernet3
set route  10.14.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  172.16.225.0/24 interface ethernet4 gateway 172.10.1.2
set route  10.13.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.15.0.0/16 interface ethernet1 gateway 10.10.0.3
set route  10.18.0.0/16 interface tunnel.2
exit
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40249811
OK couple of items to change. Interfaces in the trust zone should be in NAT mode instead of route mode. Change this by going to network > interfaces > edit for the interface in question and choose NAT instead of route.

2nd item. In MIP policies. The source address should be "ANY" instead of (0.0.0.0/0)

Which was theMIP that you created that was giving you trouble?
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40249923
I am a little hesitant to change routing for the trust zone as i could potentially bring my whole 250 user network down :(. This was configured by the former admin and i fear i may hose other things by doing that (unless you are certain). The MIP that is giving me issues is the ****.98.115 (which maps to the 172.25.1.10 DMZ IP).
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40253231
Any other ideas?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40253561
Yes, sorry for the late reply.

In your policies you have a lot of rules that are causing some issues. namely

set policy id 58 from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny log

will block any policy that comes after it such as

set policy id 78 name "TTI-WEB" from "Untrust" to "DMZ"  "Any" "MIP(****.98.115)" "HTTP" permit

I recommend having only 1 deny policy from global to global with deny and logging set so that when traffic is not making it to a device there is only one log you need to check for issues :)
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40270246
I certainly see how that could be an issue, however when i remove the policy denying any to any (untrust to DMZ) i still cannot get a ping or browser to MIP(****.98.115)! :(
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40270588
As a first troubleshooting step, I recommend to enable session logging on policy 78, and put it on top of any other rules for Untrust to DMZ. Then test access from outside (!) of your network.
If you test from inside, you need (at least) a corresponding policy from your zone to Untrust with the MIP as destination.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270623
Hi Kmoloney.

I went ahead and dumped your config into an ns204 for testing. Added logging to policy 78 and initiated a ping from the outside network. Traffic does get logged in the policy so something else is going on with the internal routing on the device. I am going to trouble shoot a few more things and report back.

014-08-19 07:03:56      10.8.3.10:76      74.204.98.115:31888      10.8.3.10:76      172.25.1.10:31888      ICMP      59 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:56      10.8.3.10:75      74.204.98.115:31888      10.8.3.10:75      172.25.1.10:31888      ICMP      60 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:54      10.8.3.10:73      74.204.98.115:31888      10.8.3.10:73      172.25.1.10:31888      ICMP      60 sec.      102      0      Close - AGE OUT
2014-08-19 07:03:54      10.8.3.10:74      74.204.98.115:31888      10.8.3.10:74      172.25.1.10:31888      ICMP      59 sec.      102      0      Close - AGE OUT
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270626
Sorry I forgot to post the results from  debug flow basic

****** 06099.0: <Untrust/ethernet3> packet received [84]******

  ipid = 58810(e5ba), @d7851110

  packet passed sanity check.

  ethernet3:10.8.3.10/1->74.204.98.115/31878,1(8/0)<Root>

  no session found

  flow_first_sanity_check: in <ethernet3>, out <N/A>

  chose interface ethernet3 as incoming nat if.

  flow_first_routing: in <ethernet3>, out <N/A>

  search route to (ethernet3, 10.8.3.10->172.25.1.10) in vr trust-vr for vsd-0/flag-0/ifp-null

  [ Dest] 8.route 172.25.1.10->0.0.0.0, to ethernet2

  routed (x_dst_ip 172.25.1.10) from ethernet3 (ethernet3 in 0) to ethernet2 

  policy search from zone 1-> zone 3

 policy_flow_search  policy search nat_crt from zone 1-> zone 10

  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 74.204.98.115, port 24810, proto 1)

  No SW RPC rule match, search HW rule

  Permitted by policy 78

  No src xlate   choose interface ethernet2 as outgoing phy if

  no loop on ifp ethernet2.

  session application type 0, name None, nas_id 0, timeout 60sec

  service lookup identified service 0.

  flow_first_final_check: in <ethernet3>, out <ethernet2>

  existing vector list 1-6652fa0.

  Session (id:128063) created for first pak 1

  flow_first_install_session======>

  route to 172.25.1.10

  arp entry found for 172.25.1.10

  nsp2 wing prepared, ready

  cache mac in the session

  make_nsp_ready_no_resolve()

  search route to (ethernet2, 172.25.1.10->10.8.3.10) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet3

  [ Dest] 5.route 10.8.3.10->74.204.98.97, to ethernet3

  route to 74.204.98.97

  flow got session.

  flow session id 128063

  post addr xlation: 10.8.3.10->172.25.1.10.

 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40270693
Sanga, what was your ffilter for the debug? Did you incude the DMZ address?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270704
Hi Qlemo,

I used the following filter: set ffilter src-ip 10.8.3.10 dst-ip 74.204.98.115

My test server is 10.8.3.10. that is the source IP on the on the WAN side
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40270745
Thanks a ton for helping me out with this guys. I will add the only services i have currently allowed to see the .115 address are PING, HTTP, and HTTPS. Let me know if i need to open up additional ports for testing purposes.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40270887
Sanga, that explains why we do not see more. We would need to see traffic to the DMZ address, too, so need another ffilter with the DMZ address as dst-ip.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270896
I see what your are saying. Should I use the following instead

set ffilter src-ip 10.8.3.10 dst-ip 172.25.1.10?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40270906
Not sure what the source IP will be with all that NAT, but according to the policy traffic log, yes.
It should not hurt to be less restrictive, i.e. only specify the dst-ip.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270927
I setup the filter with just dst-ip = 172.25.1.10 the results from the debug are hard for me to decipher. It feels like something is missing.

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22694(58a6), @d783e110
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22695(58a7), @d783e910
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 14806.0: <DMZ/ethernet2> packet received [40]******
  ipid = 22696(58a8), @d783f110
  packet passed sanity check.
  ethernet2:172.25.1.10/49526->23.49.56.9/80,6<Root>
  existing session found. sess token 24
  flow got session.
  flow session id 127941
  tcp seq check.
 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40270940
23.49.56.9? And the packet originates from DMZ, but should that have as target zone/network ...
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270958
Thats exactly what I was thinking! I checked my connected networks and the config again. I do not see 23.49.56.9 referenced anywhere.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40270961
Looks like that IP address was from leaving cnn.com open on the laptop i connected to act as 172.25.1.10. I have closed the browser and ran another debug session. This time gave different results.

get ffilter
Flow filter based on:
id:0 dst ip 172.25.1.10 
ns25-> debug flow basic
ns25-> clear db
ns25->  All debug off
ns25-> get db str

****** 16032.0: <DMZ/ethernet2> packet received [106]******
  ipid = 24190(5e7e), @d7826910
  packet passed sanity check.
  ethernet2:172.25.1.10/55634->192.168.1.6/161,17<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 24
  flow got session.
  flow session id 128044
  post addr xlation: 74.204.98.115->192.168.1.6.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 16032.0: <DMZ/ethernet2> packet received [106]******
  ipid = 24191(5e7f), @d7827110
  packet passed sanity check.
  ethernet2:172.25.1.10/55634->192.168.1.6/161,17<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 24
  flow got session.
  flow session id 128044
  post addr xlation: 74.204.98.115->192.168.1.6.
 flow_send_vector_, vid = 0, is_layer2_if=0

Open in new window

0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 1000 total points
ID: 40270978
That's SNMP ...
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 1000 total points
ID: 40271005
Not sure what else to look at. In the logs I can clearly see traffic registered and accepted for the MIP, but after that, it just seems to disappear. I haven't added anything to the config posted except for enable logging on all the MIPs. I will take a few moments away from it and come back for a fresh look that hopefully will allow me to spot the issues.
0
 
LVL 2

Author Comment

by:kmoloney
ID: 40276200
OK, well this was one of the dumbest things ever. When i moved the VM from my internal subnet to the DMZ subnet i forgot to change the NIC to the DMZ nic in the vSphere client o.O. I did that and it worked right away. Sorry to have wasted your time and thank you VERY much for the advanced troubleshooting. It's people like you that restore faith to the human race.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40276246
Hi Kmoloney!!

I can safely admit that I have done the Exact Same Thing!!! I have VLAN tags on my Juniper EX3200 to separate different zones and on at least 2 occasions I have moved VM's without changing the NIC and spent hours trying to figure out what went wrong :)

BTW in my test environment I had to enable ping on my windows 7 laptop and now the MIP works. I was only testing ICMP and didnt notice
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 22 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question