Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Address translation of packets are coming for the same TCP and UDP port

0

0

Article ID: KB21114 KB Last Updated: 06 Mar 2014Version: 2.0
Summary:

This article describes the issue of the address translation of packets coming in for the same TCP and UDP port.

Symptoms:

Scenario:

When an application accepts TCP and UDP packets on the same port, both the packets hit the firewall with the same port numbers. Destination address of the packets is supposed to be translated.

 Sample networking diagram:--

(172.27.201.1)----.35(e0/0)-(FW)-(e0/1)10.10.10.10-----.20 (server accepting TCP and UDP packets on the same port)

Configuring the VIP for such a scenario does not work, because:

  • Two different VIPs for the same port number cannot be created (on the same interface), as it overwrites the previous one.

  • Creating a VIP to map a virtual port (5500 in this case) to work as a custom service on either TCP port (5500) or UDP port (again 5500), results in the UDP or TCP packets being dropped respectively.

  • Creating a VIP to map a virtual port (5500 in this case), to work as a custom service that has both TCP port (5500) and UDP port (again 5500), results in packets lying lower in the order to be dropped.


Cause:

Solution:

You can use either of the following configurations to resolve the issue:

Solution 1:

You can use MIP (mapped IP) for such a scenario, in conjunction with a policy permitting a specific service to get a VIP like effect.


  1. Create an MIP on the interface, which packets hit (in this case - e0/0).

    1. On the WebUI, go to Network > Interfaces > Edit > MIP > Configuration.


  2. Create a custom service with the same TCP and UDP port.

    1. On the WebUI, go to Policy > Policy Elements > Services > Custom.

    2. or

    3. On the CLI, run the following commands:

      set service CustomService protocol TCP src-port 0-65535 dst-port 5500-5500

      set service CustomService + UDP src-port 0-65535 dst-port 5500-5500

  3. Create policies that permit only CustomService for the mapped IP.

    1. On the WebUI, go to Policy > Policies (from Untrust to Untrust).

    2. or

    3. On the CLI, run the following commands:
      Set policy from untrust to untrust any mip(172.27.201.35) CustomService permit

Solution 2:


  1. On the CLI, run the following command and reset:

    set VIP multi-port

    RESET

  2. Create a custom service with the same TCP and UDP port

    1. On the WebUI, go to Policy > Policy Elements > Services > Custom.

    2. or

    3. On the CLI, run the following commands:

      set service CustomService protocol TCP src-port 0-65535 dst-port 5500-5500

      set service CustomService + UDP src-port 0-65535 dst-port 5500-5500

  3. Create a VIP on the untrust interface.

    1. On the WebUI, go to Network > Interface > Edit > VIP/VIP Services.

    2. or

    3. On the CLI, run the following command:
      Set interface eth0/0 VIP untrust-ip 5500 CustomService 10.10.10.20

  4. Create a policy to permit the VIP:

    1. On the WebUI, go to Policy > Policies (from Untrust to Untrust).

    2. or

    3. On the CLI, run the following command:

      Set policy from untrust to untrust any VIP(172.27.201.35) CustomService permit
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search