Can't reach public IP in DMZ(utrust-vr) from internal NW Trust(trust-vr)
-
Current Firmware Version: 6.3.0r14.0
Device SSG-320MProblem:
I’ve setup a reverse-proxy in DMZ that is accessible from Internet using a VIP in untrust for port 80 and 443. No issues reaching it from internet but any client request from trust fails withdo not support multiple DIP in loopback session. pak dropped loopback session failed
My network setup for this is the following.
Untrust (untrust-vr) WAN IP (DHCP assigned, 1 IP available)ethernet0/1 ip 94.100.200.29/28 ( external IP replaced for privacy.) ethernet0/1 nat
DMZ in utrust-vr
ethernet1/2.2 ip 192.168.24.1/26 ethernet1/2.2 route
Trust (internal NW) in trust-vr
ethernet1/7 ip 192.168.30.1/24 ethernet1/7 route
What’s been done so far
I’ve tried to follow many different guides on the internet but hasn’t got my head around what I shall do to get it to work.
Tried with creating a MIP address but can’t figure out what it actually is for and how it can solve my problem.When I do try to get traffic through and do the debug in CLI I see no trace of the traffic on the receiving server although it hit’s the same policy (169) as when traffic is coming from Internet.
I would be so happy if this could be solved, because it’s really bugging me and I’ve spent many hours trying to sort it out. Cleaned up my attached config so it only has relevant parts and also removed all my trial configurations. So I would need to know what’s missing.
Many thanks in advance!
set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set preference nhrp 100 set preference ospf-e2 254 exit set alg appleichat enable unset alg appleichat re-assembly enable set alg sctp enable set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "untrust-vr" set zone "DMZ" vrouter "untrust-vr" unset zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "Untrust" screen alarm-without-drop set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death unset zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set interface "ethernet0/1" zone "Untrust" set interface "ethernet1/2.2" tag 2401 zone "DMZ" set interface "ethernet1/7" zone "Trust" unset interface vlan1 ip set interface ethernet0/1 ip 94.100.200.29/28 set interface ethernet0/1 nat set interface ethernet1/2.2 ip 192.168.24.1/26 set interface ethernet1/2.2 route set interface ethernet1/7 ip 192.168.30.1/24 set interface ethernet1/7 route set interface ethernet1/2.2 mtu 1500 set interface "ethernet0/1" pmtu ipv4 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip unset interface ethernet0/1 ip manageable set interface ethernet1/2.2 ip manageable set interface ethernet1/7 ip manageable set interface ethernet0/1 manage ping unset interface ethernet1/7 manage ssl set interface ethernet0/1 vip interface-ip 80 "HTTP" 192.168.24.9 manual set interface ethernet0/1 dhcp client enable unset interface ethernet0/1 dhcp client settings update-dhcpserver set interface ethernet1/7 dhcp relay server-name "192.168.30.254" set interface ethernet1/7 dhcp relay service set interface ethernet1/2 disable unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always set hostname fw01 set dns host dns2 8.8.8.8 src-interface ethernet0/1 set dns ddns id 1 server-type dyndns refresh-interval 1 minimum-update-interval 2 set dns ddns id 1 username <user_name> password <password> set dns ddns id 1 src-interface ethernet0/1 host-name <fqdn> set dns ddns enable set crypto-policy exit set url protocol type sc-cpa exit set policy id 110 name "Source NAT" from "Trust" to "Untrust" "192.168.30.0/24" "Any" "DNS" nat src permit log set policy id 110 set service "HTTP" set service "HTTPS" set service "TRACEROUTE" set service "WHOIS" exit set policy id 25 name "Deny and log" from "Untrust" to "Trust" "Any" "Any" "ANY" reject log set policy id 25 set log session-init exit set policy id 162 name "web" from "DMZ" to "Untrust" "192.168.24.9/32" "Any" "HTTP" nat src permit log set policy id 162 set service "HTTPS" exit set policy id 169 name "Reverse Proxy" from "Untrust" to "DMZ" "External interface" "VIP(ethernet0/1)" "HTTP" permit log set policy id 169 set service "HTTPS" exit set route 192.168.30.0/24 vrouter "trust-vr" preference 20 metric 1 description "DMZ access to prod" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 set route 192.168.24.0/26 vrouter "untrust-vr" preference 20 metric 1 description "Trust to Public DMZ servers" exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit</fqdn></password></user_name>
****** 8724425.0: <trust 7="" ethernet1=""> packet received [48]****** ipid = 15599(3cef), @2d534110 packet passed sanity check. flow_decap_vector IPv4 process ethernet1/7:192.168.30.98/48259->94.100.200.29/443,6 <root>no session found flow_first_sanity_check: in <ethernet1 7="">, out <n a=""> chose interface ethernet1/7 as incoming nat if. flow_first_routing: in <ethernet1 7="">, out <n a=""> search route to (ethernet1/7, 192.168.30.98->94.100.200.29) in vr trust-vr for vsd-0/flag-0/ifp-null cached route 2 for 94.100.200.29 [ Dest] 2.route 94.100.200.29->94.100.200.29, to ethernet0/1 routed (x_dst_ip 94.100.200.29) from ethernet1/7 (ethernet1/7 in 0) to ethernet0/1 policy search from zone 2-> zone 1 policy_flow_search policy search nat_crt from zone 2-> zone 1 RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6) No SW RPC rule match, search HW rule swrs_search_ip: policy matched id/idx/action = 110/42/0x9 Permitted by policy 110 src-nat dip id = 2, 192.168.30.98/48259->94.100.200.29/8790 choose interface ethernet0/1 as outgoing phy if set interface ethernet0/1 as loop ifp. session application type 49, name None, nas_id 0, timeout 1800sec service lookup identified service 0. flow_first_final_check: in <ethernet1 7="">, out <ethernet0 1=""> existing vector list 103-79cc00c. Session (id:62702) created for first pak 103 loopback session processing post addr xlation: 94.100.200.29->94.100.200.29. flow_first_sanity_check: in <ethernet0 1="">, out <n a=""> self check, not for us chose interface ethernet0/1 as incoming nat if. flow_first_routing: in <ethernet0 1="">, out <n a=""> search route to (ethernet0/1, 94.100.200.29->192.168.24.9) in vr trust-vr for vsd-0/flag-0/ifp-null cached route 3 for 192.168.24.9 [ Dest] 3.route 192.168.24.9->192.168.24.9, to ethernet1/2.2 routed (x_dst_ip 192.168.24.9) from ethernet0/1 (ethernet0/1 in 0) to ethernet1/2.2 policy search from zone 1-> zone 3 policy_flow_search policy search nat_crt from zone 1-> zone 10 RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6) No SW RPC rule match, search HW rule swrs_search_ip: policy matched id/idx/action = 169/130/0x9 Permitted by policy 169 interface-nat dip id = 2, 94.100.200.29/8790->192.168.24.1/20842 choose interface ethernet1/2.2 as outgoing phy if no loop on ifp ethernet1/2.2. session application type 49, name None, nas_id 0, timeout 1800sec service lookup identified service 0. flow_first_final_check: in <ethernet0 1="">, out <ethernet1 2.2=""> existing vector list 103-79cc00c. Session (id:62580) created for first pak 103 do not support multiple DIP in loopback session. pak dropped loopback session failed</ethernet1></ethernet0></n></ethernet0></n></ethernet0></ethernet0></ethernet1></n></ethernet1></n></ethernet1></root></trust>