Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] ESP pass through via Juniper firewall with Policy-based NAT with DIP does not work

0

0

Article ID: KB13422 KB Last Updated: 30 Jul 2010Version: 5.0
Summary:
ESP pass through via Juniper firewall with Policy based NAT with DIP does not work
Symptoms:
ESP pass through traffic going thru Juniper firewall with Policy based NAT with DIP is not working

You will see the following message in the 'debug flow basic' output: 
ipid = 48551(bda7), @04d9c11c
packet passed sanity check.
ethernet1/2.116:10.2.2.150/61564->20.20.20.3/3878,50<VSYS-2>
lookup tunnel sess with port 0x00000000
lookup passthrough tunnel sess on ethernet1/2.116 with port 0xf07c0f26
no session found
flow_first_sanity_check: in <ethernet1/2.116>, out <N/A>
chose interface ethernet1/2.116 as incoming nat if.
IP classification from non-shared src if : vsys VSYS-2
flow_first_routing: in <ethernet1/2.116>, out <N/A>
search route to (ethernet1/2.116, 10.2.2.150->20.20.20.3) in vr VSYS-2-vr for vsd-0/flag-0/ifp-null
[ Dest] 4.route 20.20.20.3->207.179.178.6, to ethernet1/1
routed (x_dst_ip 20.20.20.3) from ethernet1/2.116 (ethernet1/2.116 in 0) to ethernet1/1
Cross vsys set nat crt vsys:VSYS-2, pak vsys:VSYS-2, vsys:Root, result:0
policy search from zone 25-> zone 1
policy_flow_search policy search nat_crt from zone 25-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys VSYS-2, ip 20.20.20.3, port 3878, proto 50)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 7/7/0x9
Permitted by policy 7
No port translation permitted for traffic with protocol 50.

Solution:

ScreenOS 6.2 and below supports ESP pass through in the following NAT conditions:

  1. Interface-based NAT  (Note: configuration explained in KB11323)
  2. Policy-based NAT-Src without DIP  (Note: configuration explained in KB14061)
However, it will fail if you have policy based NAT-Src with DIP.  This is per design. ScreenOS 6.3 (and later) will be supporting Policy-based NAT-src with DIP.

NOTE: Policy-based NAT-Src with DIP fix-port is also not supported since it is possible that IKE session is translated into different address from ESP session.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search