Weird Problem - re-route traffic for trust interface based on protocol

  • Good day,

    One of our older customer applications points to for an SQL database. This is quite old - the SQL servers IP has long since been 0.12, and our Netscreen25’s trust IP is 0.1. They require usage of the program, and since the source code is long gone (arghh) and they did not code using DNS names (arggh) they have requested that SQL traffic destined for 0.1 be sent to 0.12. Anyone have any thoughts?



  • Global Moderator

    nwroot: Sadly I think you’ve been led down the wrong path with the PBR suggestion.

    PBR is just routing traffic a different way, based on policy.  It doesn’t change the destination address of the packets it processes, which is what you’re asking for above.

    So even if you can make traffic arrive at the .12 address, it’s going to see packets addressed to .1 and ignore them.  Well, it won’t even look at packets that aren’t addressed to it directly, unless the interface is in promisc mode.

    What you’re after is some form of NAT, that rewrites .12 to .1 and then rewrites on it the return.  How go about configuring this I’m sorry I don’t know.

    I’m 99% sure that PBR isn’t the answer here, PBR gives you the option of routing traffic out a different interface/path than what the standard routing table specifies, not the ability to rewrite the destination address.

  • 6 R3… argh… one of my worst habits is falling behind in such things - we are at 5.4 R2 which of couse has no VIP/trust support.

    An update on this:

    I troubleshot the issue myself with wireshark, and the traffic was not heading to 0.1 like I was told. The issue is actually with the SQL instance naming (it is looking for \server\DEPT_SQLSRV, which no longer exists (it is now just \server). So its not a traffic problem, but an SQL naming one. Horray - I can pass it off! lol

    Thanks for all of the ideas, I will now be looking to update all of our NS’s and also study a bit on PBR.


  • Global Moderator

    When you run version 6 (r3 is rather stable I believe) you should be able to configure a VIP on interfaces in trust zone. Not documented yet, but it should be here i’ve heard from a reliable source. Didn’t try it myself. So if this is true configure a vip on trust interface on SQL service and redirect to SQL server. Just an idea.

  • I have never used PBR before… this is what I tried, and it does not work.

    set access-list extended 10 src-ip dst-ip src-port 1-65535 dst-port 1433-1433 protocol any entry 1
    set match-group name MS_SQL_Traffic
    set match-group MS_SQL_Traffic ext-acl 10 match-entry 1
    set action-group name MS_SQL
    set action-group MS_SQL next-interface ethernet1 next-hop action-entry 1
    set pbr policy name MS_SQL_Re-route
    set pbr policy MS_SQL_Re-route match-group MS_SQL_Traffic action-group MS_SQL 1
    set interface ethernet1 pbr MS_SQL_Re-route
    set zone Trust pbr MS_SQL_Re-route

    So I must be missing something… right? 🙂


  • policy based routing should take care of this. must be on screenos 5.4+