Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Issue trying to make some zones communicate with Internet

$
0
0

Hello all,

 

I am currently trying to have two of my zones communicate with the Internet (untrust zone) without success. I have other zones that work fine. Machines can also communicate from one zone to another without issues.

 

Unfortunately I've inherited the current configuration with little explanations, and I'm no network expert to start with, so I'm a bit at a loss currently. I did try to troubleshoot but there are many things I don't really understand.

 

My zones use the 192.168.5.X and the 192.168.6.X prefixes. Zones are called PRA-MF and DMZ-PRA-MF. Here is the current configuration (all information unrelated to my issue have been removed as well as public IP addresses) :

 

#show interfaces

reth0 {
    description "VLANS PRODUCTION";
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 300 {
        description "VLAN PRA-MF";
        vlan-id 300;
        family inet {
            address 192.168.5.254/24;
        }
    }
    unit 301 {
        description "VLAN DMZ-PRA-MF";
        vlan-id 301;
        family inet {
            address 192.168.6.254/24;
        }
    }
}

reth2 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input mf-pra;
            }
            address XXX.XXX.XXX.XXX {
                preferred;
            }
        }
    }
}

 

#show security zones security zone PRA-MF

host-inbound-traffic {
    system-services {
        ping;
        telnet;
    }
}
interfaces {
    reth0.300 {
        host-inbound-traffic {
            system-services {
                ping;
                telnet;
            }
        }
    }
}

 

#show security zones security zones DMZ-PRA-MF

address-book {
    address 192.168.6.50 192.168.6.50/32;
    address-set set1 {
        address 192.168.6.50;
    }
}
host-inbound-traffic {
    system-services {
        ping;
        telnet;
    }
}
interfaces {
    reth0.301 {
        host-inbound-traffic {
            system-services {
                ping;
                telnet;
            }
        }
    }
}

#show security zones security zone untrust

host-inbound-traffic {
    system-services {
        ike;
        http;
        https;
        ping;
        ssh;
    }
}
interfaces {
    reth2.0 {
        host-inbound-traffic {
            system-services {
                ike;
                ssh;
                https;
                ping;
                http;
            }
        }
    }
}

 

#show security policies

 

from-zone PRA-MF to-zone DMZ-PRA-MF {
    policy flux_DMZ-PRA-MF {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone DMZ-PRA-MF to-zone PRA-MF {
    policy flux_PRA-MF {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone PRA-MF to-zone untrust {
    policy flux_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone PRA-MF {
    policy flux_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone DMZ-PRA-MF to-zone untrust {
    policy flux_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone DMZ-PRA-MF {
    policy flux_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

 

#show firewall filter mf-pra

 show firewall filter matignon-pra
term 1 {
    from {
        destination-address {
            XXX.XXX.XXX.XXX/XXX;
        }
        destination-port [ 6330 1763 6331 22 5822 6537 990 4822 ];
    }
    then {
        routing-instance PRA-MF;
    }
}
term 2 {
    then accept;
}

 

#show routing-options
static {
    route 192.168.6.50/32 next-table PRA-MF.inet.0;
    route 192.168.5.50/32 next-table PRA-MF.inet.0;
    route 192.168.5.51/32 next-table PRA-MF.inet.0;
    route 192.168.5.52/32 next-table PRA-MF.inet.0;
    route 192.168.5.53/32 next-table PRA-MF.inet.0;
    route 192.168.5.54/32 next-table PRA-MF.inet.0;
    route 192.168.5.55/32 next-table PRA-MF.inet.0;
    route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX;
}
instance-import route-import-XXX-XXX-XXX;

 

#show routing-instances
PRA-MF {
    description "PRA MATIGNON FINANCES";
    instance-type virtual-router;
    interface reth0.300;
    interface reth0.301;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX/XXX;
        }
        instance-import TO-PRA;
    }
}

 

#show policy-options policy-statement TO-PRA
term 1 {
    from {
        instance master;
        protocol direct;
        route-filter YYY.YYY.YYY.YYY/YYY exact; ##this is an old public IP address no longer in use
    }
    then accept;
}
term 2 {
    then reject;
}

 

#show security nat source

rule-set trust-to-untrust3 {
    from zone [ DMZ-PRA-MF PRA-MF ];
    to zone untrust;
    rule source-nat-rule3 {
        match {
            source-address 0.0.0.0/0;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}
rule-set PRA-MF-to-reth2 {
    from routing-instance PRA-MF;
    to interface reth2.0;
    rule source-nat-PRA {
        match {
            source-address 0.0.0.0/0;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

 

#show security nat destination

pool DMZ-PRA-MF {
    address 192.168.6.50/32;
}

 

rule-set untrust {

 

 rule DMZ-PRA-MF-1763 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 1763;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }
    rule DMZ-PRA-MF-6331 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 6331;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }

rule DMZ-PRA-MF-6537 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 6537;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }
    rule DMZ-PRA-MF-5822 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 5822;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }
    rule DMZ-PRA-MF-4822 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 4822;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }
    rule DMZ-PRA-MF-990 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 990;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }
    rule DMZ-PRA-MF-22 {
        match {
            destination-address XXX.XXX.XXX.XXX/XXX;
            destination-port 22;
        }
        then {
            destination-nat {
                pool {
                    DMZ-PRA-MF;
                }
            }
        }
    }

}

 

I've also made traceoptions for the issue with the basic-datapath flag. Tried pinging the Google DNS server (8.8.8.8) from a machine that has the IP 192.168.5.52, and here are the results :

 

Oct 16 10:33:25 10:33:25.555056:CID-1:RT:<192.168.5.52/2525->8.8.8.8/1;1> matched filter MatchPRA:

Oct 16 10:33:25 10:33:25.555094:CID-1:RTSmiley Tongueacket [60] ipid = 11491, @0x422bff24

Oct 16 10:33:25 10:33:25.555094:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x422bfd00, rtbl_idx = 5

Oct 16 10:33:25 10:33:25.555132:CID-1:RT: flow process pak fast ifl 78 in_ifp reth0.300

Oct 16 10:33:25 10:33:25.555132:CID-1:RT:  reth0.300:192.168.5.52->8.8.8.8, icmp, (8/0)

Oct 16 10:33:25 10:33:25.555158:CID-1:RT: find flow: table 0x491f8d40, hash 45441(0xffff), sa 192.168.5.52, da 8.8.8.8, sp 2525, dp 1, proto 1, tok 20499

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:search gate for PRA-MF:192.168.5.52/2525->8.8.8.8/1,1

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:gate_search_specific_bucket: no gate found

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:search widecast gate for PRA-MF:192.168.5.52/2525->8.8.8.8/1,1

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:gate_search_widecast_bucket: no gate found

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:  flow_first_create_session

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:First path alloc and instl pending session, natp=0x4cd13980, id=47766

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:  flow_first_in_dst_nat: in <reth0.300>, out <N/A> dst_adr 8.8.8.8, sp 2525, dp 1

Oct 16 10:33:25 10:33:25.555158:CID-1:RT:  chose interface reth0.300 as incoming nat if.

Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(1)

Oct 16 10:33:25 10:33:25.555360:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 192.168.5.52, x_dst_ip 8.8.8.8, in ifp reth0.300, out ifp N/A sp 2525, dp 1, ip_proto 1, tos 0

Oct 16 10:33:25 10:33:25.555405:CID-1:RTSmiley Very Happyoing DESTINATION addr route-lookup

Oct 16 10:33:25 10:33:25.555422:CID-1:RT:Route-lookup for 8.8.8.8 yielded reject NH

Oct 16 10:33:25 10:33:25.555422:CID-1:RT:  packet dropped, no route to dest

Oct 16 10:33:25 10:33:25.555422:CID-1:RT:flow_first_routing: DEST route-lookup failed, dropping pkt and not creating session nh: 4294967295

Oct 16 10:33:25 10:33:25.555422:CID-1:RT:  packet dropped, ROUTE_REJECT_GEN_ICMP.

Oct 16 10:33:25 10:33:25.555465:CID-1:RT:flow send icmp: pak->natp=0x4cd13980, pak->nsp=0x4cd13980

Oct 16 10:33:25 10:33:25.555465:CID-1:RT:Embedded ICMP outer iphdr before xlate: c0a805fe/768 -> c0a80534/42915

Oct 16 10:33:25 10:33:25.555465:CID-1:RT:Embedded ICMP inner iphdr before xlate: c0a80534/2048 -> 08080808/17278

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:flow_handle_icmp_xlate

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:xlate_icmp_pak

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:xlate_icmp_pak handle icmp4 embeded ip

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:Embedded ICMP outer iphdr after xlate: c0a805fe/768 -> c0a80534/42915

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:Embedded ICMP inner iphdr after xlate: c0a80534/2048 -> 08080808/17278

Oct 16 10:33:25 10:33:25.555558:CID-1:RTSmiley Frustratedending icmp:3, code: 0

Oct 16 10:33:25 10:33:25.555558:CID-1:RT:flow_send_return_pak: lpak 0x48ae9eb0, npak 0x48df912c, npak->in_if N/A, outifp reth0.300.

Oct 16 10:33:25 10:33:25.555664:CID-1:RT:**** jump to packet:192.168.5.254->192.168.5.52

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:  encap vector

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:  no more encapping needed

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:  **** pak processing end.

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak: outifp reth0.300, iif 0, vr_id 5.

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak : Using iif 0

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_send_return_pak() 0x43036280 :  mbuf injected, return code 0

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_first_routing: Sending icmp/tcp-rst for route-lookup failure

Oct 16 10:33:25 10:33:25.555685:CID-1:RT:flow_initiate_first_path: first pak no session

Oct 16 10:33:25 10:33:25.555764:CID-1:RT:  flow find session returns error.

Oct 16 10:33:25 10:33:25.555764:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 

Thanks in advance to anyone who might try to help.


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>