Hello all,
I am currently trying to have two of my zones communicate with the Internet (untrust zone) without success. I have other zones that work fine. Machines can also communicate from one zone to another without issues.
Unfortunately I've inherited the current configuration with little explanations, and I'm no network expert to start with, so I'm a bit at a loss currently. I did try to troubleshoot but there are many things I don't really understand.
My zones use the 192.168.5.X and the 192.168.6.X prefixes. Zones are called PRA-MF and DMZ-PRA-MF. Here is the current configuration (all information unrelated to my issue have been removed as well as public IP addresses) :
#show interfaces
reth0 {
description "VLANS PRODUCTION";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 300 {
description "VLAN PRA-MF";
vlan-id 300;
family inet {
address 192.168.5.254/24;
}
}
unit 301 {
description "VLAN DMZ-PRA-MF";
vlan-id 301;
family inet {
address 192.168.6.254/24;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
input mf-pra;
}
address XXX.XXX.XXX.XXX {
preferred;
}
}
}
}
#show security zones security zone PRA-MF
host-inbound-traffic {
system-services {
ping;
telnet;
}
}
interfaces {
reth0.300 {
host-inbound-traffic {
system-services {
ping;
telnet;
}
}
}
}
#show security zones security zones DMZ-PRA-MF
address-book {
address 192.168.6.50 192.168.6.50/32;
address-set set1 {
address 192.168.6.50;
}
}
host-inbound-traffic {
system-services {
ping;
telnet;
}
}
interfaces {
reth0.301 {
host-inbound-traffic {
system-services {
ping;
telnet;
}
}
}
}
#show security zones security zone untrust
host-inbound-traffic {
system-services {
ike;
http;
https;
ping;
ssh;
}
}
interfaces {
reth2.0 {
host-inbound-traffic {
system-services {
ike;
ssh;
https;
ping;
http;
}
}
}
}
#show security policies
from-zone PRA-MF to-zone DMZ-PRA-MF {
policy flux_DMZ-PRA-MF {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ-PRA-MF to-zone PRA-MF {
policy flux_PRA-MF {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone PRA-MF to-zone untrust {
policy flux_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone PRA-MF {
policy flux_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DMZ-PRA-MF to-zone untrust {
policy flux_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone DMZ-PRA-MF {
policy flux_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
#show firewall filter mf-pra
show firewall filter matignon-pra
term 1 {
from {
destination-address {
XXX.XXX.XXX.XXX/XXX;
}
destination-port [ 6330 1763 6331 22 5822 6537 990 4822 ];
}
then {
routing-instance PRA-MF;
}
}
term 2 {
then accept;
}
#show routing-options
static {
route 192.168.6.50/32 next-table PRA-MF.inet.0;
route 192.168.5.50/32 next-table PRA-MF.inet.0;
route 192.168.5.51/32 next-table PRA-MF.inet.0;
route 192.168.5.52/32 next-table PRA-MF.inet.0;
route 192.168.5.53/32 next-table PRA-MF.inet.0;
route 192.168.5.54/32 next-table PRA-MF.inet.0;
route 192.168.5.55/32 next-table PRA-MF.inet.0;
route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX;
}
instance-import route-import-XXX-XXX-XXX;
#show routing-instances
PRA-MF {
description "PRA MATIGNON FINANCES";
instance-type virtual-router;
interface reth0.300;
interface reth0.301;
routing-options {
static {
route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX/XXX;
}
instance-import TO-PRA;
}
}
#show policy-options policy-statement TO-PRA
term 1 {
from {
instance master;
protocol direct;
route-filter YYY.YYY.YYY.YYY/YYY exact; ##this is an old public IP address no longer in use
}
then accept;
}
term 2 {
then reject;
}
#show security nat source
rule-set trust-to-untrust3 {
from zone [ DMZ-PRA-MF PRA-MF ];
to zone untrust;
rule source-nat-rule3 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set PRA-MF-to-reth2 {
from routing-instance PRA-MF;
to interface reth2.0;
rule source-nat-PRA {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
#show security nat destination
pool DMZ-PRA-MF {
address 192.168.6.50/32;
}
rule-set untrust {
rule DMZ-PRA-MF-1763 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 1763;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-6331 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 6331;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-6537 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 6537;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-5822 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 5822;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-4822 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 4822;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-990 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 990;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
rule DMZ-PRA-MF-22 {
match {
destination-address XXX.XXX.XXX.XXX/XXX;
destination-port 22;
}
then {
destination-nat {
pool {
DMZ-PRA-MF;
}
}
}
}
}
I've also made traceoptions for the issue with the basic-datapath flag. Tried pinging the Google DNS server (8.8.8.8) from a machine that has the IP 192.168.5.52, and here are the results :
Oct 16 10:33:25 10:33:25.555056:CID-1:RT:<192.168.5.52/2525->8.8.8.8/1;1> matched filter MatchPRA:
Oct 16 10:33:25 10:33:25.555094:CID-1:RT
acket [60] ipid = 11491, @0x422bff24
Oct 16 10:33:25 10:33:25.555094:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x422bfd00, rtbl_idx = 5
Oct 16 10:33:25 10:33:25.555132:CID-1:RT: flow process pak fast ifl 78 in_ifp reth0.300
Oct 16 10:33:25 10:33:25.555132:CID-1:RT: reth0.300:192.168.5.52->8.8.8.8, icmp, (8/0)
Oct 16 10:33:25 10:33:25.555158:CID-1:RT: find flow: table 0x491f8d40, hash 45441(0xffff), sa 192.168.5.52, da 8.8.8.8, sp 2525, dp 1, proto 1, tok 20499
Oct 16 10:33:25 10:33:25.555158:CID-1:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Oct 16 10:33:25 10:33:25.555158:CID-1:RT:search gate for PRA-MF:192.168.5.52/2525->8.8.8.8/1,1
Oct 16 10:33:25 10:33:25.555158:CID-1:RT:gate_search_specific_bucket: no gate found
Oct 16 10:33:25 10:33:25.555158:CID-1:RT:search widecast gate for PRA-MF:192.168.5.52/2525->8.8.8.8/1,1
Oct 16 10:33:25 10:33:25.555158:CID-1:RT:gate_search_widecast_bucket: no gate found
Oct 16 10:33:25 10:33:25.555158:CID-1:RT: flow_first_create_session
Oct 16 10:33:25 10:33:25.555158:CID-1:RT:First path alloc and instl pending session, natp=0x4cd13980, id=47766
Oct 16 10:33:25 10:33:25.555158:CID-1:RT: flow_first_in_dst_nat: in <reth0.300>, out <N/A> dst_adr 8.8.8.8, sp 2525, dp 1
Oct 16 10:33:25 10:33:25.555158:CID-1:RT: chose interface reth0.300 as incoming nat if.
Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(1)
Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 192.168.5.52, x_dst_ip 8.8.8.8, in ifp reth0.300, out ifp N/A sp 2525, dp 1, ip_proto 1, tos 0
Oct 16 10:33:25 10:33:25.555405:CID-1:RT
oing DESTINATION addr route-lookup
Oct 16 10:33:25 10:33:25.555422:CID-1:RT:Route-lookup for 8.8.8.8 yielded reject NH
Oct 16 10:33:25 10:33:25.555422:CID-1:RT: packet dropped, no route to dest
Oct 16 10:33:25 10:33:25.555422:CID-1:RT:flow_first_routing: DEST route-lookup failed, dropping pkt and not creating session nh: 4294967295
Oct 16 10:33:25 10:33:25.555422:CID-1:RT: packet dropped, ROUTE_REJECT_GEN_ICMP.
Oct 16 10:33:25 10:33:25.555465:CID-1:RT:flow send icmp: pak->natp=0x4cd13980, pak->nsp=0x4cd13980
Oct 16 10:33:25 10:33:25.555465:CID-1:RT:Embedded ICMP outer iphdr before xlate: c0a805fe/768 -> c0a80534/42915
Oct 16 10:33:25 10:33:25.555465:CID-1:RT:Embedded ICMP inner iphdr before xlate: c0a80534/2048 -> 08080808/17278
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:flow_handle_icmp_xlate
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:xlate_icmp_pak
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:xlate_icmp_pak handle icmp4 embeded ip
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:Embedded ICMP outer iphdr after xlate: c0a805fe/768 -> c0a80534/42915
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:Embedded ICMP inner iphdr after xlate: c0a80534/2048 -> 08080808/17278
Oct 16 10:33:25 10:33:25.555558:CID-1:RT
ending icmp:3, code: 0
Oct 16 10:33:25 10:33:25.555558:CID-1:RT:flow_send_return_pak: lpak 0x48ae9eb0, npak 0x48df912c, npak->in_if N/A, outifp reth0.300.
Oct 16 10:33:25 10:33:25.555664:CID-1:RT:**** jump to packet:192.168.5.254->192.168.5.52
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Oct 16 10:33:25 10:33:25.555685:CID-1:RT: encap vector
Oct 16 10:33:25 10:33:25.555685:CID-1:RT: no more encapping needed
Oct 16 10:33:25 10:33:25.555685:CID-1:RT: **** pak processing end.
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak: outifp reth0.300, iif 0, vr_id 5.
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak : Using iif 0
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak() 0x43036280 : mbuf injected, return code 0
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_first_routing: Sending icmp/tcp-rst for route-lookup failure
Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_initiate_first_path: first pak no session
Oct 16 10:33:25 10:33:25.555764:CID-1:RT: flow find session returns error.
Oct 16 10:33:25 10:33:25.555764:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Thanks in advance to anyone who might try to help.