Knowledge Search


×
 

[ScreenOS] Address translation of packets are coming for the same TCP and UDP port

  [KB21114] Show Article Properties


Summary:

This article describes the issue of the address translation of packets coming in for the same TCP and UDP port.

Symptoms:

Scenario:

When an application accepts TCP and UDP packets on the same port, both the packets hit the firewall with the same port numbers. Destination address of the packets is supposed to be translated.

 Sample networking diagram:--

(172.27.201.1)----.35(e0/0)-(FW)-(e0/1)10.10.10.10-----.20 (server accepting TCP and UDP packets on the same port)

Configuring the VIP for such a scenario does not work, because:

  • Two different VIPs for the same port number cannot be created (on the same interface), as it overwrites the previous one.

  • Creating a VIP to map a virtual port (5500 in this case) to work as a custom service on either TCP port (5500) or UDP port (again 5500), results in the UDP or TCP packets being dropped respectively.

  • Creating a VIP to map a virtual port (5500 in this case), to work as a custom service that has both TCP port (5500) and UDP port (again 5500), results in packets lying lower in the order to be dropped.


Cause:

Solution:

You can use either of the following configurations to resolve the issue:

Solution 1:

You can use MIP (mapped IP) for such a scenario, in conjunction with a policy permitting a specific service to get a VIP like effect.


  1. Create an MIP on the interface, which packets hit (in this case - e0/0).

    1. On the WebUI, go to Network > Interfaces > Edit > MIP > Configuration.


  2. Create a custom service with the same TCP and UDP port.

    1. On the WebUI, go to Policy > Policy Elements > Services > Custom.

    2. or

    3. On the CLI, run the following commands:

      set service CustomService protocol TCP src-port 0-65535 dst-port 5500-5500

      set service CustomService + UDP src-port 0-65535 dst-port 5500-5500

  3. Create policies that permit only CustomService for the mapped IP.

    1. On the WebUI, go to Policy > Policies (from Untrust to Untrust).

    2. or

    3. On the CLI, run the following commands:
      Set policy from untrust to untrust any mip(172.27.201.35) CustomService permit

Solution 2:


  1. On the CLI, run the following command and reset:

    set VIP multi-port

    RESET

  2. Create a custom service with the same TCP and UDP port

    1. On the WebUI, go to Policy > Policy Elements > Services > Custom.

    2. or

    3. On the CLI, run the following commands:

      set service CustomService protocol TCP src-port 0-65535 dst-port 5500-5500

      set service CustomService + UDP src-port 0-65535 dst-port 5500-5500

  3. Create a VIP on the untrust interface.

    1. On the WebUI, go to Network > Interface > Edit > VIP/VIP Services.

    2. or

    3. On the CLI, run the following command:
      Set interface eth0/0 VIP untrust-ip 5500 CustomService 10.10.10.20

  4. Create a policy to permit the VIP:

    1. On the WebUI, go to Policy > Policies (from Untrust to Untrust).

    2. or

    3. On the CLI, run the following command:

      Set policy from untrust to untrust any VIP(172.27.201.35) CustomService permit
Related Links: