Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot access server on DMZ from Trust zone when there is a MIP for these servers on the Untrust interface

0

0

Article ID: KB12061 KB Last Updated: 23 Jun 2010Version: 2.0
Summary:
Cannot access server on DMZ from Trust zone using the server's MIP address, when the MIP for these servers is defined on the Untrust interface
Symptoms:
Topology:

Inside user (192.168.1.90)----(eth1/1-Trust) FW (eth2/1-Untrust)----10.104.4.49 (MIP)----Outside users
                                           (DMZ)
                                             |
                                   Server (10.10.10.1)   

  • Both inside users and outside users need access ato server behind DMZ
  • There is a MIP for this server 10.10.10.1 configured on the Untrust interface with Public IP 10.104.4.49
  • Outside users can access the server fine, but internal users cannot access the server. Debug shows denied by policy.
Solution:
A policy needs to be added from the Global to Global zone (see step 6 below). 

The packet flow is as follows:
  1. Packet from 192.168.1.90 -> 10.104.4.49  comes in from eth1/1 (Trust zone) and is routed to eth2/1 (Untrust zone)
  2. There is a route lookup for 10.104.4.49 and the packet is forwarded to eth2/1 (Untrust)
  3. A policy lookup from Trust to Untrust occurs and is permitted by policy
  4. At eth2/1 (Untrust zone), there is a MIP translation from 10.104.4.49 to 10.10.10.1
  5. There is a route lookup for 10.10.10.1 and the packet is forwarded to eth2/1 (DMZ zone)
  6. There is a policy lookup from 192.168.1.90 -> 10.104.4.49 from Global to Global
This policy needs to be added in Global zone.  The reason why this policy is needed in the Global zone is because the MIP is not configured on any particular zone; it is a global entry.

Again, please note step 6. This policy may be missing and needs to be added. In the flow. it looks like the FW is searching for a policy from Untrust to DMZ 192.168.1.90 -> 10.10.10.1 but that is not the case.  It is looking for is a policy in the Global zone to dst-ip 10.104.4.49.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search