PIX to NS25 VPN & NAT-dst trouble, can help?



  • Hi all

    I have some trouble using ns25.

    I use ns25 to set up vpn with PIX (another company). and we address have some overlap ,so i use NAT-dst like the Netscreen documents chapter 5( maybe 5).

    my inside network 192.168.9.21–----NS25 ------vpn-------PIX------192.168.89.0

    I use NAT-dst map 192.168.9.21 to 172.30.0.21, and set Tunnel.1 172.30.0.254 on ethernet4(DMZ).

    but the PIX be changed, so can not create vpn session, after they restore, the session can be create, but they can not access our server(172.30.0.0/24 ping & telnet)
    i do not know why, i debug the flow , so can you enlighten me ?

    from 192.168.89.63 ping our server 172.30.0.21(192.168.9.21), i not found the NAT informations,

    BTW: the zone 3 , is my DMZ(external to ISP) and zone 100 is my inside port on netscreen.

    Sorry for pool english.

    ****** 02740.0: <dmz ethernet4="">packet received [112]******
      ipid = 17330(43b2), @c7d74110
      packet passed sanity check.
      ethernet4:aa0.dd.dd.ss/39366->xx.1xx.1xx.xx/48043,50 <root>existing session found. sess token 30
      flow got session.
      flow session id 24063
      flow_decrypt: 2925b40(3),   flow_decrypt: 2925b40(3)dec vector=7e0304.
      Dec: SPI=99c6bbab, Data=112
      SA tunnel id=0x00000002, flag<00002023>
      SA lifesize_cur left 423622864
    chip info: PIO. Tunnel id 00000002
    ipsec decrypt prepare done
    ipsec decrypt set engine done
    ipsec decrypt engine released, auth check pass!
      packet is decrypted
    ipsec decrypt done
      tunnel.1:192.168.89.63/19200->172.30.0.21/768,1(8/0) <root>chose interface tunnel.1 as incoming nat if.
      search route to (tunnel.1, 192.168.89.63->172.30.0.21) in vr vr3 for vsd-0/fla
    g-0/ifp-null
      [Dest] 5.route 172.30.0.21->0.0.0.0, to tunnel.1
      routed (172.30.0.21, 0.0.0.0) from tunnel.1 (tunnel.1 in 0) to tunnel.1
      policy search from zone 3-> zone 3
      No SW RPC rule match, search HW rule
      Searching global policy.
      Permitted by policy 320002
      No src xlate   choose interface ethernet4 as outgoing phy if
      no loop on ifp ethernet4.
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      existing vector list 4-2dc54e0.
      Session (id:24060) created for first pak 4
    cache mac in the session
      make_nsp_ready_no_resolve()
      search route to (null, 0.0.0.0->192.168.89.63) in vr vr3 for vsd-0/flag-3000/i
    fp-tunnel.1
      [Dest] 9.route 192.168.89.63->0.0.0.0, to tunnel.1
      route to 192.168.89.63
      flow got session.
      flow session id 24060
      post addr xlation: 192.168.89.63->172.30.0.21.
      going into tunnel 40000002.
      flow_encrypt: enc vector=7e31d4.
    chip info: PIO. Tunnel id 00000002
    (vn2)  doing ESP encryption and size =64
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    ipsec encrypt engine released
      SA lifesize_cur left 423622784
    ipsec encrypt done
      out encryption tunnel 40000002 gw:xx.xx.xx.xx
      no more encapping needed.
      packet send out to 000ab76b9011 through ethernet4</root></root></dmz>



  • thanx you for all help.
    the trouble be resolved today noon

    the reson summary:

    1. unset flow check tcp-rst-……  this command let my tunnel.1 stat from always ready change to down. but sa created.

    2. need one router in my vr3 , 172.30.0.0/24 ethernet2 gw my_l3_switch vlan interface.

    so when decry the tunnel packet , if no MIP or VIP found , it will checking 172.30.0.0/24 router to decide which the next zoon the packet will be send .
        so ns25 found 172.30.0.0/24 next hop to ethernet2(engineering zone). so
        apply the policy from DMZ zoon to Engineering zoon , 172.30.0.22—>NAT-Dst—>192.168.9.22.

    if not added this router, the 172.30.0.22 will be reroute to tunnel.1

    BTW: i add this route today noon, so problem be resolve . but another question confuse me

    it is SOURCE ROUTE & SOURCE INTERFACE ROUTE.

    GUI—>NETWORK—>ROUTE---->VIRTUAL ROUTE---->my vr3.
          I select the source route & source interface route. and set
          172.30.0.0 ethernet2 gw my_l3_switch(SR)
          172.30.0.0 tunnel.1 ethernet2 gw my_l3_switch(SIR)

    and as the document mentioned the priority SIR > SR > STATIC ROUTER.

    so packet out from tunnel.1 decry and should search SIR first and SR second ,and static route. if like this, it should found the ethernet2 interface (engineering zone) so can touch the policy NAT-Dst .and make 172.30.0.22 ---->192.168.9.22 but today i test . it is no use.

    so who can enlighten me why ?  thanx all juniper guy 🙂 thanx all



  • thanx very much!!!


  • Engineer

    172.30.0.0/24 will never be routed to the engineering zone since it is a connected network on your tunnel interface. THe way to configure it is to define a MIP on your tunnel interface. You can define a MIP for all the subnet #set int tunnel.1 mip 172.30.0.0 host 192.168.9.0/24. Then  create your rule with MIP(172.30.0.0/24) as destination. Additionaly you should use a custom zone for your tunnel interface if you do not allow traffic from VPN going without restriction to your physical DMZ zone.



  • here are the extract config.

    BTW:
    1)  original vpn the tunnel display down, but now the  tunnel display ready, alway display ready(GUI–->Interface). But the vpn tunnel looks well.
    I read some articals and as do as others artical mentioned.

    unset flow check tcp-rst-…

    so the tunnel interface became down, and sa created.(looks as my original state)

    1. this time vpn disconnect because the PIX  ike changed. but they said they already recoverd. and vpn can created, but can not use NAT-dst, so i want to know whether need reboot PIX?

    Dose some wrong exist my config? thanx very much.

    who has some suggest about my config? thanx very much.

    ns25-> get config

    set vrouter trust-vr sharable
    set vrouter “untrust-vr” default-vrouter
    unset vrouter “trust-vr” auto-route-export
    set vrouter name “vr3” id 1025
    unset vrouter “vr3” auto-route-export

    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "untrust-vr"
    set zone “DMZ” vrouter "vr3"
    set zone “VLAN” vrouter "trust-vr"
    set zone id 100 "Engineering"
    set zone “Engineering” vrouter "vr3"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    unset zone “DMZ” tcp-rst
    set zone “DMZ” asymmetric-vpn
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    unset zone “Engineering” tcp-rst

    set interface ethernet3 phy full 100mb
    set interface “ethernet1” zone "Trust"
    set interface “ethernet2” zone "Engineering"
    set interface “ethernet3” zone "Untrust"
    set interface “ethernet4” zone "DMZ"
    set interface “tunnel.1” zone "DMZ"
    set interface “loopback.1” zone "Trust"
    set interface “loopback.2” zone "Untrust"
    unset interface vlan1 ip

    set interface ethernet2 ip 172.16.208.254/24
    set interface ethernet2 nat

    set interface ethernet4 ip xx.xx.xx.xx/29
    set interface ethernet4 route
    set interface loopback.1 ip 172.16.1.254/24
    set interface loopback.1 route
    set interface loopback.2 ip 172.16.2.254/24
    set interface loopback.2 route
    set interface tunnel.1 ip 172.30.0.254/24
    set interface ethernet2 mtu 1500
    set interface ethernet3 mtu 1500
    set interface ethernet4 mtu 1500
    set interface tunnel.1 mtu 1500
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip

    unset flow tcp-syn-check

    set address “DMZ” “72.5.124.61/32” 72.5.124.61 255.255.255.255
    set address “DMZ” “TPS-Client-Pool1” 192.168.89.0 255.255.255.0 "The clients to access ATOMS1.0"
    set address “Engineering” “172.16.208.100/32” 172.16.208.100 255.255.255.255
    set address “Engineering” “192.168.1.0/24” 192.168.1.0 255.255.255.0
    set address “Engineering” “xx.xxx.x.xx0/32” xx.xx.xx.xx 255.255.255.255
    set address “Engineering” “xx.xx.xx.xx1/32” xx.xx.xx.xx 255.255.255.255
    set address “Engineering” “72.5.124.61/24” 72.5.124.61 255.255.255.0
    set address “Engineering” “72.5.124.61/32” 72.5.124.61 255.255.255.255
    set address “Engineering” “APC-Internal-Address” 192.168.9.0 255.255.255.0
    set address “Engineering” “ATOMS-Dest-MAP” 172.30.0.0 255.255.255.0 " "
    set address “Engineering” “ctdb” 192.168.1.36 255.255.255.255
    set address “Engineering” “ctdev” 192.168.9.21 255.255.255.255
    set address “Engineering” “ctsit” 192.168.9.22 255.255.255.255
    set address “Engineering” “DBHR ATOMS1.0 Subnet” 192.168.9.0 255.255.255.0 "Database, application logs"
    set address “Engineering” “sunflower” 192.168.9.10 255.255.255.255
    set address “Engineering” “VIP-CTDB” 172.30.0.36 255.255.255.255
    set address “Engineering” “VIP-CTDEV” 172.30.0.21 255.255.255.255
    set address “Engineering” “VIP-CTSIT” 172.30.0.22 255.255.255.255
    set address “Engineering” “VIP-Sunflower” 172.30.0.10 255.255.255.255

    set url protocol sc-cpa
    exit
    set policy id 10 name “bhr-tps-test” from “Engineering” to “DMZ”  “APC-Internal-Address” “TPS-Client-Pool1” “ANY” nat src dip-id 4 permit log
    set policy id 10
    exit
    set policy id 9 name “iNet-Nscr” from “Engineering” to “DMZ”  “192.168.1.0/24” “Any” “Emule-TCP/IP” nat src dip-id 5 permit log no-session-backup url-filter traffic gbw 0 priority 2
    set policy id 9
    set service "FTP"
    set service "HTTP"
    set service "HTTPS"
    set service "ICMP Address Mask"
    set service "ICMP Dest Unreachable"
    set service "ICMP Fragment Needed"
    set service "ICMP Fragment Reassembly"
    set service "ICMP Host Unreachable"
    set service "ICMP Parameter Problem"
    set service "ICMP Port Unreachable"
    set service "ICMP Protocol Unreach"
    set service "ICMP Redirect"
    set service "ICMP Redirect Host"
    set service "ICMP Redirect TOS & Host"
    set service "ICMP Redirect TOS & Net"
    set service "ICMP Source Quench"
    set service "ICMP Source Route Fail"
    set service "ICMP Time Exceeded"
    set service "ICMP-ANY"
    set service "ICMP-INFO"
    exit

    set policy id 4 from “DMZ” to “Engineering”  “TPS-Client-Pool1” “VIP-Sunflower” “ICMP-ANY” nat dst ip 192.168.9.10 permit log no-session-backup
    set policy id 4
    set service "SSH"
    set service "TELNET"
    set service "X-WINDOWS"
    exit
    set policy id 5 from “DMZ” to “Engineering”  “TPS-Client-Pool1” “VIP-CTDEV” “ICMP-ANY” nat dst ip 192.168.9.21 permit log
    set policy id 5
    set service "SSH"
    set service "TELNET"
    set service "X-WINDOWS"
    exit
    set policy id 6 from “DMZ” to “Engineering”  “TPS-Client-Pool1” “VIP-CTSIT” “ICMP-ANY” nat dst ip 192.168.9.22 permit log
    set policy id 6
    set service "TELNET"
    set service "TPS-VIPCTSIT-1"
    set service "TPS-VIPCTSIT-2"
    exit

    set policy id 13 from “Engineering” to “DMZ”  “172.16.208.100/32” “Any” “ANY” permit log
    set policy id 13
    exit

    set vpn “DBHR-TPS-ATOMS-VPN” proxy-id local-ip 172.30.0.0/24 remote-ip 192.168.89.0/24 “ANY”

    set ssh version v2
    set ssh enable
    set config lock timeout 5
    set dl-buf size 4718592

    set vrouter "untrust-vr"
    unset nsrp-config-sync
    set route  0.0.0.0/0 gateway 172.16.206.1
    set route a.b.1.0/24 vrouter “trust-vr” preference 20
    set route a.b.10.0/24 vrouter “trust-vr” preference 20
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route  a.b.1.0/24 interface ethernet1 gateway 172.16.205.1
    set route  a.b.10.0/24 gateway 172.16.205.1
    set route 0.0.0.0/0 vrouter “untrust-vr” preference 20
    exit
    set vrouter "vr3"
    unset nsrp-config-sync
    set route  192.168.1.0/24 interface ethernet2 gateway 172.16.208.1 preference 20
    set route  0.0.0.0/0 interface ethernet4 preference 20
    set route  192.168.9.0/24 interface ethernet2 gateway 172.16.208.1 preference 20
    set route  192.168.89.0/24 interface tunnel.1 preference 20
    set route source in-interface tunnel.1 172.30.0.0/24 interface ethernet2 gateway 172.16.208.1 preference 20
    set route source 172.30.0.0/24 interface ethernet2 gateway 172.16.208.1 preference 20
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set vrouter "vr3"
    exit
    ns25->



  • who can enlighten me. Three days i tried N times, still wrong. :?



  • yeah, i doubt this as you said, 172.30.0.0–->0.0.0.0 tunnel. 🙂

    My company want to create VPN with another company, but address overlap, because most information come from that company, so we implement the NAT function to facilitate to access our server , so it is single-direction.

    our ns25 has four ports, we use No2 ports as inside ports(not trust), zone 100, NAT selected. and No4 ports as external, name DMZ,zone 3, router selected. they all in vr3

    we create tunnel.1 and assigned 172.30.0.254. our test machine is 192.168.9.21

    the topology

    192.168.9.21–—L3switch----ns25 port2--------ns25port4------------------another company.

    if the packets come from another company(they ping 172.30.0.21 from 192.168.89.0/24), they will go through the tunnel. after decrypt packeg, 172.30.0.21 will be map to 192.168.9.21 with NAT-dst

    1)ID Name              Type    Attr    VR          Default-IF  VSYS
      3 DMZ                Sec(L3)        vr3          ethernet4    Root
    100 Engineering        Sec(L3)        vr3          ethernet2    Root

    1. route on vr3
          ID          IP-Prefix      Interface        Gateway  P Pref    Mtr
      *  10          0.0.0.0/0          eth4        0.0.0.0  S  20      1
      *  6    172.30.0.254/32          tun.1        0.0.0.0  H    0      0
      *  5      172.30.0.0/24          tun.1        0.0.0.0  C    0      0
      *  4  xxx.xx.xx.xx/32          eth4        0.0.0.0  H    0      0  –------->to ISP
      *  3  xxx.xx.xx.xx/29          eth4        0.0.0.0  C    0      0  --------->to ISP public subnet
      *  2  172.16.208.254/32          eth2        0.0.0.0  H    0      0--------> connect to L3switch
      *  1    172.16.208.0/24          eth2        0.0.0.0  C    0      0
      *  7    192.168.1.0/24          eth2    172.16.208.1  S  20      1
      *  8    192.168.9.0/24          eth2    172.16.208.1  S  20      1 -------->my test host subnet
      *  9    192.168.89.0/24          tun.1        0.0.0.0  S  20      1    ------>other company subnet

    set policy id 5 from “DMZ” to “Engineering”  “TPS-Client-Pool1” “VIP-CTDEV” “ICM
    P-ANY” nat dst ip 192.168.9.21 permit log
    set policy id 5
    set service “TELNET”

    –-------------->VIP-CTDEV is 172.30.0.21 and NAT-dst to 192.168.9.21

    1. my L3switch have vlan interface 192.169.9.254 & 172.16.208.1,so routing correct.

    2. L3switch let 192.168.9.0/24 to 192.168.89.0(another company) force to route to NS25 port2.

    so how can i troubleshooting this ,how to testing ? thanx for enlighten me.
    thanx much.


  • Engineer

    You packet is re-routed to your tunnel interface instead of being routed in your internal network.
    Can you give more precision about how you implement bidirectional nat.


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts