VIP 64 port limit?



  • Hi,
    i have 5GT with 5.4.0r6.0

    I have in LAN (Trust Zone) one VoIP and one SQL server, my Untrast (PPoE) connected to ISP and have dynamic IP adresse. How can I open to VIP more than 64 ports?

    Sorry for my bad englisch.

    Ilja



  • Hi Screenie,

    Thank you for the answer. You have a right, / 32 on an interface (e3) is strange. But my Interface (e3) is untrust (PPoE) connected to ISP and have from ISP only one public dynamic IP address with mask / 32. I can not mask manually for this Interfaces change, or …?

    Ilja


  • Global Moderator

    Hi Ilja,

    Your address object ssh atrix is probaly the same as int e3:

    set interface ethernet3 ip 84.189.57.93/32.

    The debugging says:

    packet dropped: for self but not interested

    This means your endpoint for a session is on the firewall, but the serviceisn’t enabled on that interface.

    In this case you’re DST-NAT-ing on interface address, that’s not possible, only other routable addresses than interface can be used.

    Also a  /32 on an interface (e3) is strange, are you sure it’s ok? I would think it could only reach itself now.

    Try to get an extra IP address on e3 and use this in your dst-nat, that will work I rhink.

    Cheers.



  • @screenie.:

    Ilja,

    what doesn’t work with the nat-dst? Any loggings or even better a debug output?

    I’m sure there are a lot of people here who can help you, but please give us some information.

    Thanks for answer!

    This is my config:

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "netscreen"
    set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
    set admin port 7777
    set admin telnet port 2323
    set admin ssh port 2222
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Work” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “Home” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Work” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “Home” tcp-rst
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “ethernet1” zone "Work"
    set interface “ethernet2” zone "Home"
    set interface “ethernet3” zone "Untrust"
    set interface ethernet1 ip 192.168.200.1/24
    set interface ethernet1 nat
    set interface ethernet3 ip 84.189.57.93/32
    set interface ethernet3 route
    unset interface vlan1 ip
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet1 ip manageable
    set interface ethernet3 ip manageable
    set interface ethernet3 manage ping
    set interface ethernet3 manage telnet
    set interface ethernet3 manage web
    set interface ethernet1 dhcp server service
    set interface ethernet1 dhcp server auto
    set interface ethernet1 dhcp server option netmask 255.255.255.0
    set interface ethernet1 dhcp server option dns1 217.237.151.51
    set interface ethernet1 dhcp server option dns2 217.237.149.205
    unset interface ethernet1 dhcp server config next-server-ip
    set flow tcp-mss
    set flow all-tcp-mss 1304
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set address “Work” “oda2” 1.2.1.8 255.255.255.255
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 1 from “Work” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 2 from “Work” to “Home”  “Any” “Any” “ANY” permit
    set policy id 2
    exit
    set policy id 3 from “Home” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 3
    exit
    set policy id 4 from “Home” to “Work”  “Any” “Any” “ANY” deny
    set policy id 5 name “SSH Asterisk” from “Untrust” to “Work”  “Any” “oda2” “SSH” nat dst ip 192.168.200.200 permit log
    set policy id 5
    set log session-init
    exit
    set pppoe name "T-Online"
    set pppoe name “T-Online” username “t-online-com/7TBF67XOS5T4@t-online-com.de” password "qJHREWUYNbdffxsUAECz1z3SsDnbmYHiQA=="
    set pppoe name “T-Online” idle 0
    set pppoe name “T-Online” interface ethernet3
    set pppoe name “T-Online” auto-connect 1
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset ssl enable
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 1.2.1.8/32 interface ethernet1 preference 20
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    This debug Info:

    ns5gt-> set ffilter dst-port 22
    filter added
    ns5gt-> debug flow basic
    ns5gt-> get dbuf stream
    ****** 06210.0: <untrust ethernet3="">packet received [48]*
      ipid = 16828(41bc), @0588f1f8
      packet passed sanity check.
      ethernet3:80.239.143.47/3244->84.189.57.93/22,6 <root>no session found
      flow_first_sanity_check: in <ethernet3>, out <n a="">self check, not for us
      chose interface ethernet3 as incoming nat if.
      packet dropped: for self but not interested
    ****** 06213.0: <untrust ethernet3="">packet received [48]*
      ipid = 16837(41c5), @0588f9f8
      packet passed sanity check.
      ethernet3:80.239.143.47/3244->84.189.57.93/22,6 <root>no session found
      flow_first_sanity_check: in <ethernet3>, out <n a="">self check, not for us
      chose interface ethernet3 as incoming nat if.
      packet dropped: for self but not interested
    ****** 06219.0: <untrust ethernet3="">packet received [48]*
      ipid = 16840(41c8), @058901f8
      packet passed sanity check.
      ethernet3:80.239.143.47/3244->84.189.57.93/22,6 <root>no session found
      flow_first_sanity_check: in <ethernet3>, out <n a="">self check, not for us
      chose interface ethernet3 as incoming nat if.
      packet dropped: for self but not interested
    ns5gt-></n></ethernet3></root></untrust></n></ethernet3></root></untrust></n></ethernet3></root></untrust>

    Can this help?

    Big thanks

    Ilja


  • Global Moderator

    Ilja,

    what doesn’t work with the nat-dst? Any loggings or even better a debug output?

    I’m sure there are a lot of people here who can help you, but please give us some information.



  • @sfouant:

    You can also just do plain old NAT-Dst to a fixed port and avoid having to use VIPs altogether.

    Please help me!

    I have 30 Day with probing without Success.

    I have Device full reset. As in the book “Concepts & Examples ScreenOS Reference Guide: Vol 8, Address Translation” Example: One-to-One Destination Translation described configured, because I have no DMZ Zone I have used Trust zone, without Success.
    It if works on dhcp based untrust interface?
    I have found this:

    Vip is not pssible on extended addres. Use policybased NAT instead:
    set arp nat-dst  (not documented….) This must be done in CLI
    define a policy from untrust to untrust (GUI is ok here) (YES REALY untrust to untrust !)
    src any
    dst UNTRANSLATED adress
    Service: your Service
    Then in advanced
    Check NAT dst box fill in the destination IP.
    Not VIP indead, but same function, because you van define multiple policy with the same destination IP but different serice and destinations.

    Also don’t work!

    Can someone help me?

    Sorry for my bad englisch.

    Ilja



  • You can also just do plain old NAT-Dst to a fixed port and avoid having to use VIPs altogether.



  • There is a very big difference between a typical SOHO router and a NetScreen firewall. SOHO routers are designed first and foremost as a router, that is they are designed to forward all traffic. Even though many SOHO include some sort of stateful firewall, they cannot compare to the security of a NetScreen or similar purpose-built firewall. It has been my experience that functionality is always at odds with more security. Striking the perfect balance of having everything work the way you want while not compromising on network security will always be a challenge.

    That said, I do wish that more than 64 ports could used for VIPs, but I believe that there are probably resource limitations and security concerns here. Also, if you do need to allow all ports to an internal server then you can configure a MIP if you have available public addresses.



  • @MaxPipeline:

    The 64 port limit for VIPs is hardcoded limit. I’m afraid you cannot increase this.

    That can each SOHO-Router, but not Netscreen???



  • The 64 port limit for VIPs is hardcoded limit. I’m afraid you cannot increase this.



  • Are you attempting to configure 64 VIP Services on one IP? Or rather just 64 VIPs running on different IPs?

    I think you can only do up to 4 VIPs on the 5GT, at least that’s what it says in the 5GT datasheet.  And I think with each VIP you can only have up to 8 VIP services configured on each.  The number of VIPs which are supported is dependant on the model, but if you’re running into the upper limits I don’t think you can change that.


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts