NS5XT MIPS



  • Hello All,

    I am having a interesting MIP issue and would like to ask the community for some help.

    I am testing a basic MIP setup…

    10.x.x.155 MIP to 172.16.x.155  Untrust to Trust

    The MIP appears to be half working.  When I ping 10.x.x.155 I can see (using debug flow all) the traffic pass to the MIP target on 172.x.  However the reply comes back as a 172.16.x.155 answer.  The MIP does not seem to be applied on the outbound (trust to untrust) traffic correctly.

    The device being used in this test is a NS5XT with ScreenOS Ver: 5.3.0r10b.0

    I have been following the Juniper KB12835 (ScreenOS Cookbook Recipe 8.8 Bidirectional NAT)

    The final goal of this configuration is to allow SSH and netconf to the MIP’d target behind the NS5XT.

    Any advise would be appreciated.



  • Hi aweck,

    Here is the relevant configuration and basic flow capture.  The flow data is for the ping test:

    from 10.test.station.85 to 10.x.x.155
    reply shows a returning from 172.x.x.155 at the test station.

    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set interface “trust” zone "Trust"
    set interface “untrust” zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 172.x.x.153/29
    set interface trust nat
    set interface untrust ip 10.x.x.153/22
    set interface untrust route
    set interface untrust gateway 10.x.x.1
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface untrust manage ssh
    set interface untrust manage web
    set interface “untrust” mip 10.x.x.155 host 172.x.x.155 netmask 255.255.255.255 vr "trust-vr"
    set interface “untrust” mip 10.x.x.154 host 172.x.x.154 netmask 255.255.255.255 vr “trust-vr”

    set dns host dns1 10.x.x.161
    set dns host dns2 10.x.x.200
    set address “Trust” “srxc1n0” 172.x.x.154 255.255.255.255
    set address “Trust” “srxc1n1” 172.x.x.155 255.255.255.255
    set policy id 10 from “Untrust” to “Trust”  “Any” “MIP(10.x.x.154)” “ANY” permit count
    set policy id 10
    set log session-init
    exit
    set policy id 11 from “Untrust” to “Trust”  “Any” “MIP(10.x.x.155)” “ANY” permit
    set policy id 11
    exit
    set policy id 13 from “Trust” to “Untrust”  “srxc1n0” “Any” “ANY” permit count
    set policy id 13
    set log session-init
    exit
    set policy id 15 from “Trust” to “Untrust”  “srxc1n0” “Any” “ANY” permit count
    set policy id 15
    set src-address "srxc1n1"
    set log session-init
    exit

    ****** 965660.0: <untrust untrust="">packet received [52]******
      ipid = 24306(5ef2), @03e26070
      packet passed sanity check.
      untrust:10.test.station.85/63781->10.x.x.154/22,6 <root>flow_first_sanity_check: in <untrust>, out <n a="">chose interface untrust as incoming nat if.
      flow_first_routing: in <untrust>, out <n a="">search route to (untrust, 10.test.station.85->172.x.x.154) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 1.route 172.x.x.154->172.x.x.154, to trust
      routed (x_dst_ip 172.x.x.154) from untrust (untrust in 0) to trust
      policy search from zone 1-> zone 2
      No SW RPC rule match, search HW rule
      Permitted by policy 10
      No src xlate  choose interface trust as outgoing phy if
      no loop on ifp trust.
      session application type 22, name None, nas_id 0, timeout 1800sec
    ALG vector is not attached
      service lookup identified service 0.
      flow_first_final_check: in <untrust>, out <trust>existing vector list 13-22796a0.
      Session (id:1974) created for first pak 13
      flow_first_install_session======>
      route to 172.x.x.154
      arp entry found for 172.x.x.154
      nsp2 wing prepared, ready
    cache mac in the session
      make_nsp_ready_no_resolve()
      search route to (null, 0.0.0.0->10.test.station.85) in vr trust-vr for vsd-0/flag-3000/ifp-untrust
      [ Dest] 3.route 10.test.station.85->10.test.station.85, to untrust
      route to 10.test.station.85
      flow got session.
      flow session id 1974
    ****** 965662.0: <untrust untrust="">packet received [52]******
      ipid = 24311(5ef7), @03e42070
      packet passed sanity check.
      untrust:10.test.station.85/63781->10.x.x.154/22,6 <root>existing session found. sess token 6
      flow got session.
      flow session id 1974
    ****** 965668.0: <untrust untrust="">packet received [48]******
      ipid = 24317(5efd), @03e72070
      packet passed sanity check.
      untrust:10.test.station.85/63781->10.x.x.154/22,6 <root>existing session found. sess token 6
      flow got session.
      flow session id 1974

    Again thanks for taking the time to look at this.</root></untrust></root></untrust></trust></untrust></n></untrust></n></untrust></root></untrust>



  • In order to help, can you post:

    1. relevant config

    2. output of ‘debug flow basic’ showing traffic in question


 

35
Online

38.4k
Users

12.7k
Topics

44.5k
Posts