Policy based destination nat like a VIP



  • I have a public subnet. What I like to do is using one public ip address for natting multiple (different offcourse) services to different private ip addresses in the trust zone. Like a VIP does. But al outbound traffic to the untrust zone must share that same public ip (with a DIP). I realy can not understand why you can’t use a DIP and a VIP on the same public ip. This would be the easiest way I thought but forbidden by design…. Why?

    The problem with policy based destination nat is that you have to create a static route from the public ip to the private ip. Layer 3 doesn’t care about services so there I have my problem.

    I think I can solve it with policy based routing, but that would be far too complicated in my opinion. Could someone tell if this is the only way (before I wast alot of time . Hopefully someone have a better suggestion. I can’t be the first with this problem…

    TIA,

    Martijn



  • Yes, I used 2 virtual routers, one for each internet link so there are 2 default routes.



  • Is de def. gw set by DHCP? If it is you are also facing a problem with the def. route I’m afraid (preference is set to zero).



  • Yes both links are xDSL using PPPOE



  • Hmmm… To weird. I’ve seen now a config with multiple VIP’s on one interface. If I try to configure a VIP on a second interface with an unique ip I get the error “VIP same-as-untrust exist. Can’t add more VIPs”. I conclude that you can only have multiple VIP’s on ONE interface and only on the UNTRUST zone.

    So that got you, sorin, a kind of stuck…

    You need to get at least one routed-subnet from one of your ISP’s. I have such a setup running. The routed-subnet is doing policy-based nat. The single IP has a VIP.

    Just curious: are they both xDSL links which need DHCP to connect gracefull?

    Cheers



  • Up please

    I have an Y like network, one SSH140 cluster connected to two ISPs. I want to acces the intenal mail server using both ISP public IP at the same time.

    I only have one IP per ISP link and I can only create one VIP. I can’t use MIPs because I have only one IP per interface.

    Please help

    Best Regards



  • Thanks a lot Martijn.

    I will try to get my hands on a SSG140 for experimenting purposes also.  🙂

    Cheers,

    Sorin



  • I’ve got a new job at a dutch telco with a couple of Junipers. They wan’t to switch to policy based. I’m going to do some experimentsthis month. I’ll will let you know if I find something usefull. I don’t expect any input from the forum after this long time…

    Cheers,

    Martijn



  • Hello,

    UP PLEASE!

    Can you guys help with this policy nat dst issue please

    Thank you

    Best Regards



  • Arg… Spent some time on reconfiguring MIP based nat on a NS25 to a policy based nat on a SSG140 and found out the hard way that you can’t connect to other policy based nat’s on the same device. With a MIP you can ping  your own external ip, with a policy based nat not… This realy sucks (in case this is thru!).

    For example: I have a mail server on a specific public ip. THis must be reachable on this public ip from other servers behind this firewall from a different zone. Split DNS sucks offcourse bigtime!

    • I can’t imagine a intrazone policy which can fix this… through?
    • I’m depending heavily on MIP’s I’m afraid… I’ve red that this was the oldskool shit and may be depricated in the future. I hope not before policy based nat has the same functionality…

    I also found out that you can only use one VIP…  Weird…

    Cheers,

    Martijn



  • Well,

    Gladd to see you’re on track.

    Anytime (if i’m reading the forum ;))

    Cheers,

    MartijnT



  • I had already removed the PBR… I fact I have removed everything and started with factory default. And gues what? It works 🙂 I need to have this thing working this week, so I don’t have the time to analyse this case much more…

    This noon I tried to change it for production. The only problem was that I couldn’t remove my self created default route… (?).

    TAG-AMS-FWL01(trust-vr)-> unset route 0.0.0.0/0
    Error: Route IP (0.0.0.0) mask (0.0.0.0) interface (ethernet0/0) is a connected
    route. Can’t be deleted.
    total routes deleted = 0

    I think it depends on the policies. Things you can’t imagine upfront.

    Anyway you helped me out verry much!!

    Thanks again!

    Martijn



  • I’m starting to think that maybe some of the PBR is involved. However i’ve not analized te pbr table (lazy). Does your ssg5 also have those pbr entries ?

    the command “get route ip xxx.xxx.xxx.140” should point to e0/0

    But we know now that that’s the route that it failes to find.

    What happens when you in stead of pointing xxx.xxx.xxx.140 to the e0/4 interface you point it to e0/0 ?

    I’m not sure how the PBR is involved in this but i guess it is.

    It’s a nice case though 😉



  • Took out a brand new SSG5 and it works like a charm… What setting did I do wrong on the SSG20? 🙂



  • If I add a route to my internal ip the flow shows that there is no policy, which is logical because I have an intra-zone policy on the untrust zone…. Weird…



  • Owkay… I think that there isn’t much more info:

    (.70 is the originating host, .140 nat-dst, .137 def.gw. The SSG20 itself has .142)

    ****** 60212.0: <untrust 0="" ethernet0="">packet received [60]******
      ipid = 44248(acd8), @02a40a90
      packet passed sanity check.
      ethernet0/0:xx.xx.xx.70/32926->xxx.xxx.xxx.140/3389,6 <root>no session found
      flow_first_sanity_check: in <ethernet0 0="">, out <n a="">[ Dest] 5.route xx.xx.xx.70->xxx.xxx.xxx.137, to ethernet0/0
      chose interface ethernet0/0 as incoming nat if.
      flow_first_routing: in <ethernet0 0="">, out <n a="">search route to (ethernet0/0, xx.xx.xx.70->xxx.xxx.xxx.140) in vr trust-vr for vsd-0/flag-0/ifp-null
    no route to (xx.xx.xx.70->xxx.xxx.xxx.140) in vr trust-vr/0
      packet dropped, no route

    Routing table:

    *  5          0.0.0.0/0        eth0/0 xxx.xxx.xxx.137  SP  20      1    Root
    *  2 xxx.xxx.xxx.142/32        eth0/0        0.0.0.0  H    0      0    Root
    *  1 xxx.xxx.xxx.136/29        eth0/0        0.0.0.0  C    0      0    Root
    *  4 192.168.233.252/32        eth0/4        0.0.0.0  H    0      0    Root
    *  3  192.168.233.0/24        eth0/4        0.0.0.0  C    0      0    Root

    Hope you can help….

    Martijn</n></ethernet0></n></ethernet0></root></untrust>



  • Cool! I couldn’t make something of the verry long “debug flow basic”. Flow filters was what I was looking for 🙂 I will try this in the morning.

    This nat-dst is hopefully gone solve a lot of my problems. As you can see a was busy with PBR, but only able to performing it on tcp/udp realy sucks when it comes to RTP, GRE and such. My goal is to create split traffic across 2 or maybe 3 internet connections with redundancy. As far as inbound traffic from the internet I think I can create the same nat-dst policies on both lines. For outbound traffic to the internet I think I can create a second default route with an higher preference… Wishfull thinking?? Would be too easy 😉

    Much thanks so far!!



  • Allright, seen it, so you could edit it(the post above:) and take the config out again.

    It all looks right, the ‘no route’ is strange because, besides it being a connected network, you have a default route and you are (now?) using 1 virtual router.
    Unless that interface was not up during the test.

    i assume the nat-XXXXX is indeed the pre-nat address so that’s looking allright.

    do another debug using :

    undebug all
    clear db
    set ff st-port 3389
    get ff -> output should only show the ff just created.
    debug flow basic
    <test the="" traffic="">get db stream (as you know 😉

    follow the ‘descission flow’

    You seem to be doing everything right, i cannot find any fault just now.

    We’ll get to the bottom though…</test>



  • I removed some info, but this should do it:

    set clock ntp
    set clock timezone 1
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set service “RDP” protocol tcp src-port 0-65535 dst-port 3389-3389
    set service “RADMIN” protocol tcp src-port 0-65535 dst-port 4899-4899
    set service “PRINTING” protocol tcp src-port 0-65535 dst-port 9100-9100
    set service “PRINTING” + udp src-port 0-65535 dst-port 9100-9100
    set service “BARRACUDA-SPAMTAG” protocol tcp src-port 0-65535 dst-port 8000-8000
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin manager-ip 192.168.1.0 255.255.255.0
    set admin manager-ip 192.168.233.0 255.255.255.0
    set admin http redirect
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” block
    set zone “Trust” tcp-rst
    set zone “Trust” reassembly-for-alg
    set zone “Untrust” block
    set zone “Untrust” tcp-rst
    set zone “Untrust” reassembly-for-alg
    set zone “DMZ” block
    set zone “DMZ” tcp-rst
    set zone “DMZ” reassembly-for-alg
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen alarm-without-drop
    set zone “Untrust” screen icmp-flood
    set zone “Untrust” screen udp-flood
    set zone “Untrust” screen winnuke
    set zone “Untrust” screen port-scan
    set zone “Untrust” screen ip-sweep
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ip-spoofing
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “Untrust” screen syn-frag
    set zone “Untrust” screen tcp-no-flag
    set zone “Untrust” screen unknown-protocol
    set zone “Untrust” screen ip-bad-option
    set zone “Untrust” screen ip-record-route
    set zone “Untrust” screen ip-timestamp-opt
    set zone “Untrust” screen ip-security-opt
    set zone “Untrust” screen ip-loose-src-route
    set zone “Untrust” screen ip-strict-src-route
    set zone “Untrust” screen ip-stream-opt
    set zone “Untrust” screen icmp-fragment
    set zone “Untrust” screen icmp-large
    set zone “Untrust” screen syn-fin
    set zone “Untrust” screen fin-no-ack
    set zone “Untrust” screen syn-ack-ack-proxy
    set zone “Untrust” screen icmp-id
    set zone “Untrust” screen ip-spoofing drop-no-rpf-route
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set zone “Untrust” screen syn-flood timeout 7
    set zone “Untrust” screen syn-flood alarm-threshold 1024
    set zone “Untrust” screen syn-flood queue-size 1024
    set zone “Untrust” screen syn-flood attack-threshold 800
    set zone “Untrust” screen syn-flood source-threshold 1024
    set zone “Untrust” screen syn-flood destination-threshold 2148
    set interface “ethernet0/0” zone "Untrust"
    set interface “ethernet0/1” zone "Untrust"
    set interface “ethernet0/2” zone "Untrust"
    set interface “ethernet0/4” zone "Trust"
    set interface “bgroup0” zone "Trust"
    unset interface vlan1 ip
    set interface ethernet0/0 ip xxx.xxx.xxx.xxx/29
    set interface ethernet0/0 route
    set interface ethernet0/4 ip 192.168.233.252/24
    set interface ethernet0/4 nat
    set interface ethernet0/0 bandwidth egress mbw 1900 ingress mbw 1900
    set interface “ethernet0/0” pmtu ipv4
    set interface “ethernet0/1” pmtu ipv4
    set interface “ethernet0/4” pmtu ipv4
    set interface “bgroup0” pmtu ipv4
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/4 ip manageable
    set interface ethernet0/0 manage ping
    set interface ethernet0/0 manage ssh
    set interface ethernet0/0 manage ssl
    set interface ethernet0/0 manage web
    set interface ethernet0/0 manage ident-reset
    set interface ethernet0/1 manage ping
    set interface ethernet0/1 manage ssh
    set interface ethernet0/1 manage ssl
    set interface ethernet0/1 manage web
    set interface ethernet0/1 manage ident-reset
    set interface ethernet0/4 manage ident-reset
    set interface ethernet0/4 manage mtrace
    set interface bgroup0 manage ident-reset
    set interface bgroup0 manage mtrace
    set interface ethernet0/1 dhcp client enable
    unset interface ethernet0/1 dhcp client settings update-dhcpserver
    set interface ethernet0/0 dip 4 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx fix-port
    set interface “serial0/0” modem settings “USR” init "AT&F"
    set interface “serial0/0” modem settings “USR” active
    set interface “serial0/0” modem speed 115200
    set interface “serial0/0” modem retry 3
    set interface “serial0/0” modem interval 10
    set interface “serial0/0” modem idle-time 10
    set interface ethernet0/0 route-deny
    set pak-poll p1queue pak-threshold 96
    set pak-poll p2queue pak-threshold 32
    set flow tcp-mss 1455
    set flow tcp-syn-check
    set flow aging low-watermark 70
    set flow aging high-watermark 80
    set flow aging early-ageout 3
    set flow syn-proxy syn-cookie
    set domain xxxxxx.nl
    set hostname XXXXXXXXXXXX
    set dns host dns1 62.50.14.145
    set dns host dns2 0.0.0.0
    set dns host dns3 0.0.0.0
    set dns host schedule 06:28
    set address “Trust” “Martijn-laptop” 192.168.233.114 255.255.255.255
    set address “Untrust” “nat-XXX.XXX.XXX.XXXXXX.XXX.XXX.XXX 255.255.255.255
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set arp nat-dst
    set traffic-shaping dscp-class-selector
    set traffic-shaping mode on
    set url protocol websense
    exit
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “BARRACUDA-SPAMTAG” nat src dip-id 4 permit
    set policy id 1
    set service "GRE"
    set service "HTTP"
    set service "HTTPS"
    set service "PING"
    set service "PPTP"
    set service "RDP"
    set service "SSH"
    exit
    set policy id 2 from “Untrust” to “Untrust”  “Any” “nat-XXX.XXX.XXX.XXX” “RDP” nat dst ip 192.168.233.114 permit
    set policy id 2
    exit
    set monitor cpu 100
    set global-pro policy-manager primary outgoing-interface ethernet0/0
    set global-pro policy-manager secondary outgoing-interface ethernet0/0
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set ssh enable
    set scp enable
    set config lock timeout 5
    set ntp server "194.109.22.18"
    set ntp server backup1 "0.0.0.0"
    set ntp server backup2 "0.0.0.0"
    set ntp interval 1440
    set ntp max-adjustment 5
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    set source-routing enable
    set sibr-routing enable
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet0/0 gateway XXX.XXX.XXX.XXX preference 20 permanent
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 80-80 protocol tcp entry 1
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 443-443 protocol tcp entry 2
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 21-21 protocol tcp entry 3
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 4899-4899 protocol tcp entry 4
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 110-110 protocol tcp entry 5
    set access-list extended 10 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 22-22 protocol tcp entry 6
    set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 3389-3389 protocol tcp entry 2
    set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 1723-1723 protocol tcp entry 3
    set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 25-25 protocol tcp entry 4
    set access-list extended 20 src-ip 192.168.4.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 5060-5060 protocol any entry 5
    set match-group name SDSL_router
    set match-group name ADSL_router
    set action-group name action_SDSL
    set action-group action_SDSL next-interface ethernet0/0 next-hop XXX.XXX.XXX.XXX action-entry 2
    set action-group name action_ADSL
    set action-group action_ADSL next-interface ethernet0/1 next-hop XXX.XXX.XXX.XXX action-entry 1
    set pbr policy name redirect-policy
    set pbr policy redirect-policy match-group ADSL_router action-group action_ADSL 1
    set pbr policy redirect-policy match-group SDSL_router action-group action_SDSL 2
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit



  • Hi Martijn,

    Yes, but i’m afraid we’ll need some more details. i.e. on exactly what destination is being dropped.

    If posting the config is an issue maybe the output of:

    • a debug flow basic
    • the policy that’s being hit (so the nat-st policy)
    • if plausible, the ‘get route’ output.

    Cheers,

    MartijnT


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts