Can't reach public IP in DMZ(utrust-vr) from internal NW Trust(trust-vr)



  • Current Firmware Version: 6.3.0r14.0
    Device SSG-320M

    Problem:
    I’ve setup a reverse-proxy in DMZ that is accessible from Internet using a VIP in untrust for port 80 and 443. No issues reaching it from internet but any client request from trust fails with

    do not support multiple DIP in loopback session. pak dropped
     loopback session failed
    

    My network setup for this is the following.
    Untrust (untrust-vr) WAN IP (DHCP assigned, 1 IP available)

         ethernet0/1 ip 94.100.200.29/28 ( external IP replaced for privacy.)
         ethernet0/1 nat
    
    

    DMZ in utrust-vr

         ethernet1/2.2 ip 192.168.24.1/26
         ethernet1/2.2 route
    

    Trust (internal NW) in trust-vr

         ethernet1/7 ip 192.168.30.1/24
         ethernet1/7 route
    

    What’s been done so far
    I’ve tried to follow many different guides on the internet but hasn’t got my head around what I shall do to get it to work.
    Tried with creating a MIP address but can’t figure out what it actually is for and how it can solve my problem.

    When I do try to get traffic through and do the debug in CLI I see no trace of the traffic on the receiving server although it hit’s the same policy (169) as when traffic is coming from Internet.

    I would be so happy if this could be solved, because it’s really bugging me and I’ve spent many hours trying to sort it out. Cleaned up my attached config so it only has relevant parts and also removed all my trial configurations. So I would need to know what’s missing.

    Many thanks in advance!

    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set preference nhrp 100
    set preference ospf-e2 254
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "untrust-vr"
    set zone "DMZ" vrouter "untrust-vr"
    unset zone "Trust" tcp-rst 
    set zone "Untrust" block 
    unset zone "Untrust" tcp-rst 
    set zone "Untrust" screen alarm-without-drop
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ping-death
    unset zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set interface "ethernet0/1" zone "Untrust"
    set interface "ethernet1/2.2" tag 2401 zone "DMZ"
    set interface "ethernet1/7" zone "Trust"
    unset interface vlan1 ip
    set interface ethernet0/1 ip 94.100.200.29/28
    set interface ethernet0/1 nat
    set interface ethernet1/2.2 ip 192.168.24.1/26
    set interface ethernet1/2.2 route
    set interface ethernet1/7 ip 192.168.30.1/24
    set interface ethernet1/7 route
    set interface ethernet1/2.2 mtu 1500
    set interface "ethernet0/1" pmtu ipv4
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    unset interface ethernet0/1 ip manageable
    set interface ethernet1/2.2 ip manageable
    set interface ethernet1/7 ip manageable
    set interface ethernet0/1 manage ping
    unset interface ethernet1/7 manage ssl
    set interface ethernet0/1 vip interface-ip 80 "HTTP" 192.168.24.9 manual
    set interface ethernet0/1 dhcp client enable
    unset interface ethernet0/1 dhcp client settings update-dhcpserver
    set interface ethernet1/7 dhcp relay server-name "192.168.30.254"
    set interface ethernet1/7 dhcp relay service
    set interface ethernet1/2 disable
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set hostname fw01
    set dns host dns2 8.8.8.8 src-interface ethernet0/1
    set dns ddns id 1 server-type dyndns refresh-interval 1 minimum-update-interval 2
    set dns ddns id 1 username <user_name> password <password>
    set dns ddns id 1 src-interface ethernet0/1 host-name <fqdn> 
    set dns ddns enable
    set crypto-policy
    exit
    set url protocol type sc-cpa
    exit
    set policy id 110 name "Source NAT" from "Trust" to "Untrust"  "192.168.30.0/24" "Any" "DNS" nat src permit log 
    set policy id 110
    set service "HTTP"
    set service "HTTPS"
    set service "TRACEROUTE"
    set service "WHOIS"
    exit
    set policy id 25 name "Deny and log" from "Untrust" to "Trust"  "Any" "Any" "ANY" reject log 
    set policy id 25
    set log session-init
    exit
    set policy id 162 name "web" from "DMZ" to "Untrust"  "192.168.24.9/32" "Any" "HTTP" nat src permit log 
    set policy id 162
    set service "HTTPS"
    exit
    set policy id 169 name "Reverse Proxy" from "Untrust" to "DMZ"  "External interface" "VIP(ethernet0/1)" "HTTP" permit log 
    set policy id 169
    set service "HTTPS"
    exit
    set route 192.168.30.0/24 vrouter "trust-vr" preference 20 metric 1 description "DMZ access to prod"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
    set route 192.168.24.0/26 vrouter "untrust-vr" preference 20 metric 1 description "Trust to Public DMZ servers"
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit</fqdn></password></user_name>
    
     ****** 8724425.0: <trust 7="" ethernet1=""> packet received [48]******
      ipid = 15599(3cef), @2d534110
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet1/7:192.168.30.98/48259->94.100.200.29/443,6 <root>no session found
      flow_first_sanity_check: in <ethernet1 7="">, out <n a="">
      chose interface ethernet1/7 as incoming nat if.
      flow_first_routing: in <ethernet1 7="">, out <n a="">
      search route to (ethernet1/7, 192.168.30.98->94.100.200.29) in vr trust-vr for vsd-0/flag-0/ifp-null
      cached route 2 for 94.100.200.29
      [ Dest] 2.route 94.100.200.29->94.100.200.29, to ethernet0/1
      routed (x_dst_ip 94.100.200.29) from ethernet1/7 (ethernet1/7 in 0) to ethernet0/1
      policy search from zone 2-> zone 1
     policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 110/42/0x9
      Permitted by policy 110
      src-nat dip id = 2, 192.168.30.98/48259->94.100.200.29/8790
      choose interface ethernet0/1 as outgoing phy if
      set interface ethernet0/1 as loop ifp.
      session application type 49, name None, nas_id 0, timeout 1800sec
      service lookup identified service 0.
      flow_first_final_check: in <ethernet1 7="">, out <ethernet0 1="">
      existing vector list 103-79cc00c.
      Session (id:62702) created for first pak 103
      loopback session processing
      post addr xlation: 94.100.200.29->94.100.200.29.
      flow_first_sanity_check: in <ethernet0 1="">, out <n a="">
      self check, not for us
      chose interface ethernet0/1 as incoming nat if.
      flow_first_routing: in <ethernet0 1="">, out <n a="">
      search route to (ethernet0/1, 94.100.200.29->192.168.24.9) in vr trust-vr for vsd-0/flag-0/ifp-null
      cached route 3 for 192.168.24.9
      [ Dest] 3.route 192.168.24.9->192.168.24.9, to ethernet1/2.2
      routed (x_dst_ip 192.168.24.9) from ethernet0/1 (ethernet0/1 in 0) to ethernet1/2.2
      policy search from zone 1-> zone 3
     policy_flow_search  policy search nat_crt from zone 1-> zone 10
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 169/130/0x9
      Permitted by policy 169
      interface-nat dip id = 2, 94.100.200.29/8790->192.168.24.1/20842
      choose interface ethernet1/2.2 as outgoing phy if
      no loop on ifp ethernet1/2.2.
      session application type 49, name None, nas_id 0, timeout 1800sec
      service lookup identified service 0.
      flow_first_final_check: in <ethernet0 1="">, out <ethernet1 2.2="">
      existing vector list 103-79cc00c.
      Session (id:62580) created for first pak 103
    do not support multiple DIP in loopback session. pak dropped
     loopback session failed</ethernet1></ethernet0></n></ethernet0></n></ethernet0></ethernet0></ethernet1></n></ethernet1></n></ethernet1></root></trust>
    

 

42
Online

38.4k
Users

12.7k
Topics

44.5k
Posts