Policy based destination nat like a VIP
I have a public subnet. What I like to do is using one public ip address for natting multiple (different offcourse) services to different private ip addresses in the trust zone. Like a VIP does. But al outbound traffic to the untrust zone must share that same public ip (with a DIP). I realy can not understand why you can’t use a DIP and a VIP on the same public ip. This would be the easiest way I thought but forbidden by design…. Why?
The problem with policy based destination nat is that you have to create a static route from the public ip to the private ip. Layer 3 doesn’t care about services so there I have my problem.
I think I can solve it with policy based routing, but that would be far too complicated in my opinion. Could someone tell if this is the only way (before I wast alot of time . Hopefully someone have a better suggestion. I can’t be the first with this problem…
Yes, I used 2 virtual routers, one for each internet link so there are 2 default routes.
Is de def. gw set by DHCP? If it is you are also facing a problem with the def. route I’m afraid (preference is set to zero).
Yes both links are xDSL using PPPOE
Hmmm… To weird. I’ve seen now a config with multiple VIP’s on one interface. If I try to configure a VIP on a second interface with an unique ip I get the error “VIP same-as-untrust exist. Can’t add more VIPs”. I conclude that you can only have multiple VIP’s on ONE interface and only on the UNTRUST zone.
So that got you, sorin, a kind of stuck…
You need to get at least one routed-subnet from one of your ISP’s. I have such a setup running. The routed-subnet is doing policy-based nat. The single IP has a VIP.
Just curious: are they both xDSL links which need DHCP to connect gracefull?
I have an Y like network, one SSH140 cluster connected to two ISPs. I want to acces the intenal mail server using both ISP public IP at the same time.
I only have one IP per ISP link and I can only create one VIP. I can’t use MIPs because I have only one IP per interface.
Thanks a lot Martijn.
I will try to get my hands on a SSG140 for experimenting purposes also.
I’ve got a new job at a dutch telco with a couple of Junipers. They wan’t to switch to policy based. I’m going to do some experimentsthis month. I’ll will let you know if I find something usefull. I don’t expect any input from the forum after this long time…
Can you guys help with this policy nat dst issue please
Arg… Spent some time on reconfiguring MIP based nat on a NS25 to a policy based nat on a SSG140 and found out the hard way that you can’t connect to other policy based nat’s on the same device. With a MIP you can ping your own external ip, with a policy based nat not… This realy sucks (in case this is thru!).
For example: I have a mail server on a specific public ip. THis must be reachable on this public ip from other servers behind this firewall from a different zone. Split DNS sucks offcourse bigtime!
- I can’t imagine a intrazone policy which can fix this… through?
- I’m depending heavily on MIP’s I’m afraid… I’ve red that this was the oldskool shit and may be depricated in the future. I hope not before policy based nat has the same functionality…
I also found out that you can only use one VIP… Weird…
Gladd to see you’re on track.
Anytime (if i’m reading the forum ;))
I had already removed the PBR… I fact I have removed everything and started with factory default. And gues what? It works I need to have this thing working this week, so I don’t have the time to analyse this case much more…
This noon I tried to change it for production. The only problem was that I couldn’t remove my self created default route… (?).
TAG-AMS-FWL01(trust-vr)-> unset route 0.0.0.0/0
Error: Route IP (0.0.0.0) mask (0.0.0.0) interface (ethernet0/0) is a connected
route. Can’t be deleted.
total routes deleted = 0
I think it depends on the policies. Things you can’t imagine upfront.
Anyway you helped me out verry much!!
I’m starting to think that maybe some of the PBR is involved. However i’ve not analized te pbr table (lazy). Does your ssg5 also have those pbr entries ?
the command “get route ip xxx.xxx.xxx.140” should point to e0/0
But we know now that that’s the route that it failes to find.
What happens when you in stead of pointing xxx.xxx.xxx.140 to the e0/4 interface you point it to e0/0 ?
I’m not sure how the PBR is involved in this but i guess it is.
It’s a nice case though
Took out a brand new SSG5 and it works like a charm… What setting did I do wrong on the SSG20?
If I add a route to my internal ip the flow shows that there is no policy, which is logical because I have an intra-zone policy on the untrust zone…. Weird…
Owkay… I think that there isn’t much more info:
(.70 is the originating host, .140 nat-dst, .137 def.gw. The SSG20 itself has .142)
****** 60212.0: <untrust 0="" ethernet0="">packet received ******
ipid = 44248(acd8), @02a40a90
packet passed sanity check.
ethernet0/0:xx.xx.xx.70/32926->xxx.xxx.xxx.140/3389,6 <root>no session found
flow_first_sanity_check: in <ethernet0 0="">, out <n a="">[ Dest] 5.route xx.xx.xx.70->xxx.xxx.xxx.137, to ethernet0/0
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0 0="">, out <n a="">search route to (ethernet0/0, xx.xx.xx.70->xxx.xxx.xxx.140) in vr trust-vr for vsd-0/flag-0/ifp-null
no route to (xx.xx.xx.70->xxx.xxx.xxx.140) in vr trust-vr/0
packet dropped, no route
* 5 0.0.0.0/0 eth0/0 xxx.xxx.xxx.137 SP 20 1 Root
* 2 xxx.xxx.xxx.142/32 eth0/0 0.0.0.0 H 0 0 Root
* 1 xxx.xxx.xxx.136/29 eth0/0 0.0.0.0 C 0 0 Root
* 4 192.168.233.252/32 eth0/4 0.0.0.0 H 0 0 Root
* 3 192.168.233.0/24 eth0/4 0.0.0.0 C 0 0 Root
Hope you can help….
Cool! I couldn’t make something of the verry long “debug flow basic”. Flow filters was what I was looking for I will try this in the morning.
This nat-dst is hopefully gone solve a lot of my problems. As you can see a was busy with PBR, but only able to performing it on tcp/udp realy sucks when it comes to RTP, GRE and such. My goal is to create split traffic across 2 or maybe 3 internet connections with redundancy. As far as inbound traffic from the internet I think I can create the same nat-dst policies on both lines. For outbound traffic to the internet I think I can create a second default route with an higher preference… Wishfull thinking?? Would be too easy
Much thanks so far!!
Allright, seen it, so you could edit it(the post above:) and take the config out again.
It all looks right, the ‘no route’ is strange because, besides it being a connected network, you have a default route and you are (now?) using 1 virtual router.
Unless that interface was not up during the test.
i assume the nat-XXXXX is indeed the pre-nat address so that’s looking allright.
do another debug using :
set ff st-port 3389
get ff -> output should only show the ff just created.
debug flow basic
<test the="" traffic="">get db stream (as you know
follow the ‘descission flow’
You seem to be doing everything right, i cannot find any fault just now.
We’ll get to the bottom though…</test>
I removed some info, but this should do it:
set clock ntp
set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
set service “RDP” protocol tcp src-port 0-65535 dst-port 3389-3389
set service “RADMIN” protocol tcp src-port 0-65535 dst-port 4899-4899
set service “PRINTING” protocol tcp src-port 0-65535 dst-port 9100-9100
set service “PRINTING” + udp src-port 0-65535 dst-port 9100-9100
set service “BARRACUDA-SPAMTAG” protocol tcp src-port 0-65535 dst-port 8000-8000
set auth-server “Local” id 0
set auth-server “Local” server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin manager-ip 192.168.1.0 255.255.255.0
set admin manager-ip 192.168.233.0 255.255.255.0
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone “Trust” vrouter "trust-vr"
set zone “Untrust” vrouter "trust-vr"
set zone “DMZ” vrouter "trust-vr"
set zone “VLAN” vrouter "trust-vr"
set zone “Untrust-Tun” vrouter "trust-vr"
set zone “Trust” block
set zone “Trust” tcp-rst
set zone “Trust” reassembly-for-alg
set zone “Untrust” block
set zone “Untrust” tcp-rst
set zone “Untrust” reassembly-for-alg
set zone “DMZ” block
set zone “DMZ” tcp-rst
set zone “DMZ” reassembly-for-alg
set zone “VLAN” block
unset zone “VLAN” tcp-rst
set zone “Untrust” screen alarm-without-drop
set zone “Untrust” screen icmp-flood
set zone “Untrust” screen udp-flood
set zone “Untrust” screen winnuke
set zone “Untrust” screen port-scan
set zone “Untrust” screen ip-sweep
set zone “Untrust” screen tear-drop
set zone “Untrust” screen syn-flood
set zone “Untrust” screen ip-spoofing
set zone “Untrust” screen ping-death
set zone “Untrust” screen ip-filter-src
set zone “Untrust” screen land
set zone “Untrust” screen syn-frag
set zone “Untrust” screen tcp-no-flag
set zone “Untrust” screen unknown-protocol
set zone “Untrust” screen ip-bad-option
set zone “Untrust” screen ip-record-route
set zone “Untrust” screen ip-timestamp-opt
set zone “Untrust” screen ip-security-opt
set zone “Untrust” screen ip-loose-src-route
set zone “Untrust” screen ip-strict-src-route
set zone “Untrust” screen ip-stream-opt
set zone “Untrust” screen icmp-fragment
set zone “Untrust” screen icmp-large
set zone “Untrust” screen syn-fin
set zone “Untrust” screen fin-no-ack
set zone “Untrust” screen syn-ack-ack-proxy
set zone “Untrust” screen icmp-id
set zone “Untrust” screen ip-spoofing drop-no-rpf-route
set zone “V1-Untrust” screen tear-drop
set zone “V1-Untrust” screen syn-flood
set zone “V1-Untrust” screen ping-death
set zone “V1-Untrust” screen ip-filter-src
set zone “V1-Untrust” screen land
set zone “Untrust” screen syn-flood timeout 7
set zone “Untrust” screen syn-flood alarm-threshold 1024
set zone “Untrust” screen syn-flood queue-size 1024
set zone “Untrust” screen syn-flood attack-threshold 800
set zone “Untrust” screen syn-flood source-threshold 1024
set zone “Untrust” screen syn-flood destination-threshold 2148
set interface “ethernet0/0” zone "Untrust"
set interface “ethernet0/1” zone "Untrust"
set interface “ethernet0/2” zone "Untrust"
set interface “ethernet0/4” zone "Trust"
set interface “bgroup0” zone "Trust"
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xxx.xxx.xxx/29
set interface ethernet0/0 route
set interface ethernet0/4 ip 192.168.233.252/24
set interface ethernet0/4 nat
set interface ethernet0/0 bandwidth egress mbw 1900 ingress mbw 1900
set interface “ethernet0/0” pmtu ipv4
set interface “ethernet0/1” pmtu ipv4
set interface “ethernet0/4” pmtu ipv4
set interface “bgroup0” pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/4 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/0 manage ident-reset
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/1 manage ident-reset
set interface ethernet0/4 manage ident-reset
set interface ethernet0/4 manage mtrace
set interface bgroup0 manage ident-reset
set interface bgroup0 manage mtrace
set interface ethernet0/1 dhcp client enable
unset interface ethernet0/1 dhcp client settings update-dhcpserver
set interface ethernet0/0 dip 4 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx fix-port
set interface “serial0/0” modem settings “USR” init "AT&F"
set interface “serial0/0” modem settings “USR” active
set interface “serial0/0” modem speed 115200
set interface “serial0/0” modem retry 3
set interface “serial0/0” modem interval 10
set interface “serial0/0” modem idle-time 10
set interface ethernet0/0 route-deny
set pak-poll p1queue pak-threshold 96
set pak-poll p2queue pak-threshold 32
set flow tcp-mss 1455
set flow tcp-syn-check
set flow aging low-watermark 70
set flow aging high-watermark 80
set flow aging early-ageout 3
set flow syn-proxy syn-cookie
set domain xxxxxx.nl
set hostname XXXXXXXXXXXX
set dns host dns1 184.108.40.206
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address “Trust” “Martijn-laptop” 192.168.233.114 255.255.255.255
set address “Untrust” “nat-XXX.XXX.XXX.XXX” XXX.XXX.XXX.XXX 255.255.255.255
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set arp nat-dst
set traffic-shaping dscp-class-selector
set traffic-shaping mode on
set url protocol websense
set policy id 1 from “Trust” to “Untrust” “Any” “Any” “BARRACUDA-SPAMTAG” nat src dip-id 4 permit
set policy id 1
set service "GRE"
set service "HTTP"
set service "HTTPS"
set service "PING"
set service "PPTP"
set service "RDP"
set service "SSH"
set policy id 2 from “Untrust” to “Untrust” “Any” “nat-XXX.XXX.XXX.XXX” “RDP” nat dst ip 192.168.233.114 permit
set policy id 2
set monitor cpu 100
set global-pro policy-manager primary outgoing-interface ethernet0/0
set global-pro policy-manager secondary outgoing-interface ethernet0/0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set ntp server "220.127.116.11"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 1440
set ntp max-adjustment 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set vrouter "trust-vr"
set source-routing enable
set sibr-routing enable
set route 0.0.0.0/0 interface ethernet0/0 gateway XXX.XXX.XXX.XXX preference 20 permanent
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 80-80 protocol tcp entry 1
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 443-443 protocol tcp entry 2
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 21-21 protocol tcp entry 3
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 4899-4899 protocol tcp entry 4
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 110-110 protocol tcp entry 5
set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 22-22 protocol tcp entry 6
set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 3389-3389 protocol tcp entry 2
set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 1723-1723 protocol tcp entry 3
set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 25-25 protocol tcp entry 4
set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 5060-5060 protocol any entry 5
set match-group name SDSL_router
set match-group name ADSL_router
set action-group name action_SDSL
set action-group action_SDSL next-interface ethernet0/0 next-hop XXX.XXX.XXX.XXX action-entry 2
set action-group name action_ADSL
set action-group action_ADSL next-interface ethernet0/1 next-hop XXX.XXX.XXX.XXX action-entry 1
set pbr policy name redirect-policy
set pbr policy redirect-policy match-group ADSL_router action-group action_ADSL 1
set pbr policy redirect-policy match-group SDSL_router action-group action_SDSL 2
set vrouter "untrust-vr"
set vrouter "trust-vr"
Yes, but i’m afraid we’ll need some more details. i.e. on exactly what destination is being dropped.
If posting the config is an issue maybe the output of:
- a debug flow basic
- the policy that’s being hit (so the nat-st policy)
- if plausible, the ‘get route’ output.