Author Topic: Can't reach public IP in DMZ(utrust-vr) from internal NW Trust(trust-vr)  (Read 362 times)

lapplander

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Current Firmware Version: 6.3.0r14.0
Device SSG-320M

Problem:
I've setup a reverse-proxy in DMZ that is accessible from Internet using a VIP in untrust for port 80 and 443. No issues reaching it from internet but any client request from trust fails with
Code: [Select]
do not support multiple DIP in loopback session. pak dropped
 loopback session failed

My network setup for this is the following.
Untrust (untrust-vr) WAN IP (DHCP assigned, 1 IP available)
Code: [Select]
     ethernet0/1 ip 94.100.200.29/28 ( external IP replaced for privacy.)
     ethernet0/1 nat
DMZ in utrust-vr
Code: [Select]
     ethernet1/2.2 ip 192.168.24.1/26
     ethernet1/2.2 route
Trust (internal NW) in trust-vr
Code: [Select]
     ethernet1/7 ip 192.168.30.1/24
     ethernet1/7 route

What's been done so far
I've tried to follow many different guides on the internet but hasn't got my head around what I shall do to get it to work.
Tried with creating a MIP address but can't figure out what it actually is for and how it can solve my problem.

When I do try to get traffic through and do the debug in CLI I see no trace of the traffic on the receiving server although it hit's the same policy (169) as when traffic is coming from Internet.

I would be so happy if this could be solved, because it's really bugging me and I've spent many hours trying to sort it out. Cleaned up my attached config so it only has relevant parts and also removed all my trial configurations. So I would need to know what's missing.

Many thanks in advance!

Code: [Select]
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set preference nhrp 100
set preference ospf-e2 254
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "untrust-vr"
set zone "DMZ" vrouter "untrust-vr"
unset zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set interface "ethernet0/1" zone "Untrust"
set interface "ethernet1/2.2" tag 2401 zone "DMZ"
set interface "ethernet1/7" zone "Trust"
unset interface vlan1 ip
set interface ethernet0/1 ip 94.100.200.29/28
set interface ethernet0/1 nat
set interface ethernet1/2.2 ip 192.168.24.1/26
set interface ethernet1/2.2 route
set interface ethernet1/7 ip 192.168.30.1/24
set interface ethernet1/7 route
set interface ethernet1/2.2 mtu 1500
set interface "ethernet0/1" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/1 ip manageable
set interface ethernet1/2.2 ip manageable
set interface ethernet1/7 ip manageable
set interface ethernet0/1 manage ping
unset interface ethernet1/7 manage ssl
set interface ethernet0/1 vip interface-ip 80 "HTTP" 192.168.24.9 manual
set interface ethernet0/1 dhcp client enable
unset interface ethernet0/1 dhcp client settings update-dhcpserver
set interface ethernet1/7 dhcp relay server-name "192.168.30.254"
set interface ethernet1/7 dhcp relay service
set interface ethernet1/2 disable
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname fw01
set dns host dns2 8.8.8.8 src-interface ethernet0/1
set dns ddns id 1 server-type dyndns refresh-interval 1 minimum-update-interval 2
set dns ddns id 1 username <user_name> password <password>
set dns ddns id 1 src-interface ethernet0/1 host-name <fqdn>
set dns ddns enable
set crypto-policy
exit
set url protocol type sc-cpa
exit
set policy id 110 name "Source NAT" from "Trust" to "Untrust"  "192.168.30.0/24" "Any" "DNS" nat src permit log
set policy id 110
set service "HTTP"
set service "HTTPS"
set service "TRACEROUTE"
set service "WHOIS"
exit
set policy id 25 name "Deny and log" from "Untrust" to "Trust"  "Any" "Any" "ANY" reject log
set policy id 25
set log session-init
exit
set policy id 162 name "web" from "DMZ" to "Untrust"  "192.168.24.9/32" "Any" "HTTP" nat src permit log
set policy id 162
set service "HTTPS"
exit
set policy id 169 name "Reverse Proxy" from "Untrust" to "DMZ"  "External interface" "VIP(ethernet0/1)" "HTTP" permit log
set policy id 169
set service "HTTPS"
exit
set route 192.168.30.0/24 vrouter "trust-vr" preference 20 metric 1 description "DMZ access to prod"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
set route 192.168.24.0/26 vrouter "untrust-vr" preference 20 metric 1 description "Trust to Public DMZ servers"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


Code: [Select]
****** 8724425.0: <Trust/ethernet1/7> packet received [48]******
  ipid = 15599(3cef), @2d534110
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet1/7:192.168.30.98/48259->94.100.200.29/443,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet1/7>, out <N/A>
  chose interface ethernet1/7 as incoming nat if.
  flow_first_routing: in <ethernet1/7>, out <N/A>
  search route to (ethernet1/7, 192.168.30.98->94.100.200.29) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 2 for 94.100.200.29
  [ Dest] 2.route 94.100.200.29->94.100.200.29, to ethernet0/1
  routed (x_dst_ip 94.100.200.29) from ethernet1/7 (ethernet1/7 in 0) to ethernet0/1
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 110/42/0x9
  Permitted by policy 110
  src-nat dip id = 2, 192.168.30.98/48259->94.100.200.29/8790
  choose interface ethernet0/1 as outgoing phy if
  set interface ethernet0/1 as loop ifp.
  session application type 49, name None, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet1/7>, out <ethernet0/1>
  existing vector list 103-79cc00c.
  Session (id:62702) created for first pak 103
  loopback session processing
  post addr xlation: 94.100.200.29->94.100.200.29.
  flow_first_sanity_check: in <ethernet0/1>, out <N/A>
  self check, not for us
  chose interface ethernet0/1 as incoming nat if.
  flow_first_routing: in <ethernet0/1>, out <N/A>
  search route to (ethernet0/1, 94.100.200.29->192.168.24.9) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 3 for 192.168.24.9
  [ Dest] 3.route 192.168.24.9->192.168.24.9, to ethernet1/2.2
  routed (x_dst_ip 192.168.24.9) from ethernet0/1 (ethernet0/1 in 0) to ethernet1/2.2
  policy search from zone 1-> zone 3
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 94.100.200.29, port 443, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 169/130/0x9
  Permitted by policy 169
  interface-nat dip id = 2, 94.100.200.29/8790->192.168.24.1/20842
  choose interface ethernet1/2.2 as outgoing phy if
  no loop on ifp ethernet1/2.2.
  session application type 49, name None, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/1>, out <ethernet1/2.2>
  existing vector list 103-79cc00c.
  Session (id:62580) created for first pak 103
do not support multiple DIP in loopback session. pak dropped
 loopback session failed