Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to setup Inter-vsys routing via the shared-DMZ zone.

0

0

Article ID: KB25225 KB Last Updated: 03 Sep 2020Version: 2.0
Summary:

This article provides information on how to set up Inter-vsys routing via the shared DMZ zone.

 

Symptoms:

Traffic has to be allowed from Subnet A of Vsys-A to Subnet B of Vsys-B by using the shared DMZ zone:

 

Solution:

When to use shared-DMZ zone

Virtual systems across different zones generally use a shared Untrust zone for communication. However, inter-vsys traffic through a shared Untrust zone is often interrupted by external traffic and overlapping IP addresses. To overcome such traffic interference in the shared Untrust zone, you can use a shared DMZ zone, which is created at the root level. Each shared DMZ zone that the root admin creates is automatically assigned to a non-sharable virtual router (VR).

Conditions for using shared-DMZ zone

A shared DMZ zone works only on a security device that is running in NAT/route mode and cannot be bound to any interface, other than the loopback interface. However, the default interface for the shared DMZ zone is Null.

Configuration

[Subnet in Vsys-A: 10.10.10.1/24]-----[Subnet in Vsys-B:192.168.10.1/24]

In Vsys-A, you need to route the traffic for the 10.10.10.1/24 subnet from Vsys-A-vr to shared-dmz vr and create a route from the shared DMZ vr to Vsys-A-vr for the 192.168.10.1/24 subnet.

You need to do the same in Vsys-B. You need to route the traffic for the 192.168.10.1/24 subnet from Vsys-B-vr to the shared DMZ vr and create a route from the shared DMZ vr to Vsys-B-vr for the 10.10.10.10.1/24 subnet.

Root Vsys:

  1. Configure the shared DMZ zone. In this example, the sh-dmz shared DMZ zone is configured:

set zone name "sh-dmz" shared-dmz
set vrouter "sh-dmz_vr"

By default, the -vr virtual router is created, when the shared DMZ zone is configured:

set vrouter "sh-dmz_vr" 
  1. Bind the shared DMZ zone to the vsys. The shared DMZ zone and shared DMZ virtual router are visible only in the root-vsys. You need to bind the the shared-DMZ zone to the custom vsys.

Configuration to bind the shared DMZ zone to vsys-A:

set vsys vsysA shared-DMZ sh-dmz

Configuration to bind the shared DMZ zone to vsys-B:

set vsys vsysB shared-DMZ sh-dmz
  1. Bind the interface to the shared DMZ zone. The default interface for the shared DMZ zone is Null. The shared DMZ zone can be bound only to the loopback interface:

set int loopback.1 zone sh-dmz
set interface loopback.1 ip 1.1.1.1/24
set interface loopback.1 route

The loopback.1 interface is visible across all vsys's.

Vsys-A

  1. Configure the interface information on Vsys-B:

set interface ethernet1/1 zone "Trust-Vsys-A"
set interface ethernet1/1 ip 192.168.10.1/24
set interface ethernet1/1 route
  1. Add a route for the 10.10.10.1/24 subnet from Vsys-A-vr to point to sh-dmz-vr:

set vrouter "Vsys-A-vr"
set route 10.10.10.1/24 vrouter " sh-dmz-vr " preference 20 metric 1
exit

Add a route for the 192.168.10.1/24 from sh-dmz-vr to point to Vsys-A-vr:

set vrouter " sh-dmz-vr "
set route 192.168.10.1/24 vrouter "Vsys-A-vr" preference 20 metric 1
exit
  1. Add policies between Trust-Vsys-A and sh-dmz to allow the traffic:

set policy id 2 from "Trust-Vsys-A" to " sh-dmz " "192.168.10.1/24" "10.10.10.1/24" "ANY" permit log 
set policy id 2
set log session-init
exit

set policy id 1 from " sh-dmz " to "Trust-Vsys-A" "10.10.10.1/24" "192.168.10.1/24" "ANY" permit log 
set policy id 1
set log session-init
exit

Vsys-B

  1. Configure the interface information on Vsys-B:

set interface ethernet1/4 zone "Trust-Vsys-B"
set interface ethernet1/4 ip 10.10.10.1/24
set interface ethernet1/4 route
  1. Add a route for the 192.168.10.1/24 subnet from Vsys-B-vr to point to sh-dmz-vr:

set vrouter "Vsys-B-vr"
set route 192.168.10.1/24 vrouter " sh-dmz-vr " preference 20 metric 1
exit

Add a route for the 10.10.10.1/24 subnet from sh-dmz-vr to point to Vsys-B-vr:

set vrouter " sh-dmz-vr "
set route 10.10.10.1/24 vrouter "Vsys-B-vr" preference 20 metric 1
exit
  1. Add policies between Trust-Vsys-B and sh-dmz to allow the traffic:

set policy id 2 from "Trust-Vsys-B" to " sh-dmz " "10.10.10.0/24" "192.168.10.0/24" "ANY" permit log 
set policy id 2
set log session-init
exit

set policy id 1 from " sh-dmz " to "Trust-Vsys-B" "192.168.10.0/24" "10.10.10.0/24" "ANY" permit log 
set policy id 1
set log session-init
exit

Debug Flow Basic

ping 10.10.10.1 from ethernet1/1 (from vsys-A)

***** 38536.0: <Trust-Vsys-A/ethernet1/1> packet received [128]******
ipid = 62071(f277), @6bd45e74
self:192.168.10.1/5000->10.10.10.1/1024,1(8/0)<Vsys-A>
flow_decap_vector IPv4 process
ethernet1/1:192.168.10.1/5000->10.10.10.1/1024,1(8/0)<Vsys-A>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <ethernet1/4>
chose interface ethernet1/1 as incoming nat if.
IP classification from non-shared src if : vsys Vsys-A
flow_first_routing: in <ethernet1/1>, out <ethernet1/4>
search route to (ethernet1/1, 192.168.10.1->10.10.10.1) in vr Vsys-A-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.10.10.1
add route 3 for 10.10.10.1 to route cache table
[ Dest] 3.route 10.10.10.1->10.10.10.1, to ethernet1/4
routed (x_dst_ip 10.10.10.1) from ethernet1/1 (ethernet1/1 in 0) to ethernet1/4 
Cross vsys (Vsys-A->Vsys-B) at ethernet1/4: need loopback push to sh-dmz
policy search from zone 19-> zone 1000
policy_flow_search policy search nat_crt from zone 19-> zone 1000
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-A, ip 10.10.10.1, port 17578, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
No src xlate choose interface ethernet1/4 as outgoing phy if
skip loopback check for cross vsys (Vsys-A->Vsys-B)
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet1/1>, out <ethernet1/4>
SM_RULE:0
existing vector list 0-6cffae84.
Session (id:300055) created for first pak 0
loopback session processing
post addr xlation: 192.168.10.1->10.10.10.1.
flow_first_sanity_check: in <loopback.1>, out <N/A>
chose interface loopback.1 as incoming nat if.
flow_first_routing: in <loopback.1>, out <N/A>
search route to (loopback.1, 192.168.10.1->10.10.10.1) in vr sh-dmz_vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.10.10.1
add route 3 for 10.10.10.1 to route cache table
[ Dest] 3.route 10.10.10.1->10.10.10.1, to ethernet1/4
routed (x_dst_ip 10.10.10.1) from loopback.1 (loopback.1 in 0) to ethernet1/4 
IP classification from non-shared dst if : vsys Vsys-B
Cross vsys set nat crt vsys:Vsys-B, pak vsys:Root, vsys:Vsys-B, result:0
policy search from zone 1000-> zone 22
policy_flow_search policy search nat_crt from zone 1000-> zone 22
RPC Mapping Table search returned 0 matched service(s) for (vsys Vsys-B, ip 10.10.10.1, port 17578, proto 1)
No SW RPC rule match, search HW rule
rs_search_ip: policy matched id/idx/action = 1/0/0x9
Permitted by policy 1
No src xlate choose interface ethernet1/4 as outgoing phy if
set interface ethernet1/4 as loop ifp.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <loopback.1>, out <ethernet1/4>
SM_RULE:0
existing vector list 0-6cffae84.
Session (id:300057) created for first pak 0
vector index1 0, vector index2 0
existing vector list 0-6cffae84.
existing v6 vector list 0-1550469c.
new vector index 0.
post addr xlation: 192.168.10.1->10.10.10.1.
flow_first_sanity_check: in <ethernet1/4>, out <ethernet1/4>
existing vector list 0-6cffae84.
create a self session (flag 0x206), timeout=60sec.
vector index1 0, vector index2 0
existing vector list 0-6cffae84.
existing v6 vector list 0-1550469c.
new vector index 0.
loopback session created
flow_first_install_session >
flow got session.
flow session id 300055
flow_main_body_vector in ifp ethernet1/1 out ifp ethernet1/4
flow vector index 0x0, vector addr 0x6cffae84, orig vector 0x6cffae84
post addr xlation: 192.168.10.1->10.10.10.1.
packet is for self, copy packet to self
copy packet to us.

 

Modification History:

2020-09-03: Article reviewed for accuracy; no changes required; article valid

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search