Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to setup inter-vsys routing by using the default shared untrust zone

0

0

Article ID: KB25220 KB Last Updated: 16 Sep 2020Version: 2.0
Summary:
This article provides information on how to setup Inter-vsys routing by using the default shared untrust zone.
Symptoms:
Traffic has to be allowed from Subnet A of Vsys-A to Subnet B of Vsys-B by using the default shared untrust zone:


 
Solution:

Traffic can be passed between Vsys's only via the Root-vr.

In Vsys-A, route the traffic for the 192.168.10.1/24 subnet from Vsys-A-vr to trust-vr and create a route from trust-vr to Vsys-A-vr for the 10.10.10.1/24 subnet.

Do the same in Vsys-B. Route traffic for the 10.10.10.1/24 subnet from Vsys-B-vr to trust-vr and create a route from trust-vr to Vsys-B-vr for the 192.168.10.1/24 subnet.

By default, the untrust zone is shared and trust-vr is the shared vr:

  • The shared interface (interface that is bound to the shared untrust zone) can be a physical or a loopback interface.

  • As the traffic is leaving, a custom vsys is considered to have the Untrust zone shared root as the destination; there has to be at least one interface bound to the Untrust zone.

  • The interface bound to the untrust zone can be either a physical or a loopback interface.

  • The physical interface or loopback interface, which is bound to the untrust zone for achieving intervsys communication, does not have to be assigned an IP address. However, in this case, NAT has to be disabled on the incoming interface for the inter-vsys traffic.

  • So, for intervsys traffic, the shared interface (interface bound to untrust zone) can be either of the following:

    • A physical interface with an assigned IP address.

    • A loopback interface with an assigned IP address.

    • A physical interface without an IP address; but with NAT disabled on the incoming interface.

    • A loopback interface without an IP address; but with NAT disabled on the incoming interface.

Root Vsys

You need to have an interface bound to a shared zone (Untrust). This will be visible across all the vsys's:
set interface "loopback.1" zone "Untrust"
set interface loopback.1 ip 1.1.1.1/24
set interface loopback.1 route

Vsys-A

Configure the interface information in Vsys-A:
set interface "loopback.2" zone "Trust-Vsys-A"
set interface loopback.2 ip 10.10.10.1/24
set interface loopback.2 route
Add a route for the 192.168.10.1/24 subnet from the Vsys-A-vr, which is pointing to trust-vr:
set vrouter "Vsys-A-vr"
set route 192.168.10.1/24 vrouter "trust-vr" preference 20 metric 1
exit
Add a route for the 10.10.10.1/24 subnet from trust-vr, which is pointing to Vsys-A-vr:
set vrouter "trust-vr"
set route 10.10.10.1/24 vrouter "Vsys-A-vr" preference 20 metric 1
exit
Add the policies between Trust-Vsys-A and Untrust to allow the traffic:
set policy id 2 from "Trust-Vsys-A" to "Untrust" "10.10.10.0/24" "192.168.10.0/24" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 1 from "Untrust" to "Trust-Vsys-A" "192.168.10.0/24" "10.10.10.0/24" "ANY" permit log
set policy id 1
set log session-init
exit
 

Vsys-B

Configure the interface information in Vsys-B:
set interface "loopback.3" zone "Trust-Vsys-B"
set interface loopback.3 ip 192.168.10.1/24
set interface loopback.3 route
Add a route for the 10.10.10.1/24 subnet from Vsys-B-vr, which is pointing to trust-vr:
set vrouter "Vsys-B-vr"
set route 10.10.10.1/24 vrouter "trust-vr" preference 20 metric 1
exit
Add a route for the 192.168.10.1/24 subnet from trust-vr, which is pointing to Vsys-B-vr:
set vrouter "trust-vr"
set route 192.168.10.1/24 vrouter "Vsys-B-vr" preference 20 metric 1
exit
Add the policies between Trust-Vsys-B and Untrust to allow the traffic:
set policy id 2 from "Trust-Vsys-B" to "Untrust" "192.168.10.0/24" "10.10.10.0/24" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 1 from "Untrust" to "Trust-Vsys-B" "10.10.10.0/24" "192.168.10.0/24" "ANY" permit log
set policy id 1
set log session-init
exit

Debug flow basic:

Ping 192.168.10.1 from loopback.2

****** 11533.0: <Trust-Vsys-A/loopback.2> packet received [128]******
ipid = 43698(aab2), @0c0c0464
self:10.10.10.1/3500->192.168.10.1/1024,1(8/0)<Vsys-A>
loopback.2:10.10.10.1/3500->192.168.10.1/1024,1(8/0)<Vsys-A>
no session found
flow_first_sanity_check: in <loopback.2>, out <loopback.3>
chose interface loopback.2 as incoming nat if.
IP classification from non-shared src if : vsys Vsys-A
flow_first_routing: in <loopback.2>, out <loopback.3>
search route to (loopback.2, 10.10.10.1->192.168.10.1) in vr Vsys-A-vr for vsd-0/flag-0/ifp-null
[ Dest] 6.route 192.168.10.1->192.168.10.1, to loopback.3
routed (x_dst_ip 192.168.10.1) from loopback.2 (loopback.2 in 0) to loopback.3
Cross vsys (Vsys-A->Vsys-B) at loopback.3: need loopback push to Untrust
policy search from zone 19-> zone 1
policy_flow_search policy search nat_crt from zone 19-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-A, ip 192.168.10.1, port 19078, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 2/0/0x9
Permitted by policy 2
No src xlate choose interface loopback.3 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp loopback.3
vsd 0 is active
skip loopback check for cross vsys (Vsys-A->Vsys-B)
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <loopback.2>, out <loopback.3>
existing vector list 21-a3a4654.
Session (id:5039) created for first pak 21
loopback session processing
post addr xlation: 10.10.10.1->192.168.10.1.
flow_first_sanity_check: in <loopback.1>, out <N/A>
chose interface loopback.1 as incoming nat if.
flow_first_routing: in <loopback.1>, out <N/A>
search route to (loopback.1, 10.10.10.1->192.168.10.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 6.route 192.168.10.1->192.168.10.1, to loopback.3
routed (x_dst_ip 192.168.10.1) from loopback.1 (loopback.1 in 0) to loopback.3
IP classification from non-shared dst if : vsys Vsys-B
Cross vsys set nat crt vsys:Vsys-B, pak vsys:Root, vsys:Vsys-B, result:0
policy search from zone 1-> zone 22
policy_flow_search policy search nat_crt from zone 1-> zone 22
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-B, ip 192.168.10.1, port 19078, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/1/0x9
Permitted by policy 1
No src xlate choose interface loopback.3 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp loopback.3
vsd 0 is active
set interface loopback.3 as loop ifp.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <loopback.1>, out <loopback.3>
existing vector list 21-a3a4654.
Session (id:5053) created for first pak 21
vector index1 21, vector index2 21
existing vector list 21-a3a4654.
existing v6 vector list 21-1805b9c4.
new vector index 21.
post addr xlation: 10.10.10.1->192.168.10.1.
flow_first_sanity_check: in <loopback.3>, out <loopback.3>
existing vector list 20-a3a50d4.
create a self session (flag 0x206), timeout=60sec.
vector index1 21, vector index2 20
existing vector list 21-a3a4654.
existing v6 vector list 21-1805b9c4.
new vector index 21.
loopback session created
flow_first_install_session======>
nsrp msg sent.
flow got session.
flow session id 5039
Modification History:
2020-09-16: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search