Routing Traffic From Custom VSYS/VR to Shared Trust-VR

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[TripleDES]

I'm having issues getting traffic to route properly from a VSYS-A (attached to VR-A) to Trust-VR.  Even though I have the proper policies and routes are in place, for some reason, the NS tries to send traffic to Untrust-VR.

See this peculiar note in the debug:

  Cross vsys (VSYS-A->Root) at ethernet2/5.50: need loopback  push to Untrust
  policy search from zone 3001-> zone 1

Any help is appreciated.

[sfouant]

From what I recall, in order to perform any type of Inter-VSYS routing or routing from a given VSYS to a non shared zone in the root VSYS, the traffic needs to loop through the Untrust zone (as this is typically a shared zone).  Is your Untrust zone perhaps bound to the Untrust-VR?  If so you'll need Inter-VSYS routing as well as Inter-VR routing configured.

[TripleDES]

Yes, Untrust is bound to the untrust-vr.  Is inter/intra vsys/vr routing an option that needs to be configured somewhere?  I don't see the option in the VR o Zone settings.

[sfouant]

No it's not an option per se.  I simply meant you will need to configure some additional routing.

Let's say your network in the Trust zone is x and the network in the Vsys-A-Trust zone is y.  What you would need essentially is a route in the Vsys-A-VR to network x with the next-hop as the Untrust-VR.  In the Untrust-VR you will need a route to network x with the next-hop as the Trust-VR (assuming your root Trust zone is bound to the Trust-VR).  Similarly, in order to send the return traffic, you will need a route in the Trust-VR to reach network y with the next-hop set as the Untrust-VR.  You will also need a route in the Untrust-VR to reach network y with the next-hop set to the Vsys-A-VR.  In addition you will need policies from the Vsys-A-Trust zone to the Untrust zone and from the Untrust zone to the Trust zone, and vice-versa if you want to enable sessions originating in the Trust zone to reach the Vsys-A-Trust zone.

If your Untrust interface was bound to the Trust-VR you would still need to perform some of this, but it is exacerbated by the fact that your Untrust zone is bound to the Untrust-VR.  This is a more secure configuration, but requires a few extra steps to get it configured.

Does that make sense?

[TripleDES]

I never thanked you for the information.  Thank you!

I managed to get it working by looping things through the untrust-vr.  I call it the boomerang effect where traffic from an unshared zone must pass through the untrust-vr first in order to get to a custom vsys that is also unshared.

The key points are:
VSYS must exist on a shared VR
untrust-vr must contain routes to both destination vr (VSYS) and source VR (shared VR)
Policies are created both in shared VR and custom VSYS (ie. From TESTZone to Untrust and From VSYSZone to Untrust)

[sfouant]

I never thanked you for the information.  Thank you!

You're welcome!

I call it the boomerang effect where traffic from an unshared zone must pass through the untrust-vr first in order to get to a custom vsys that is also unshared.

It's not necessarily that the traffic has to pass through the Untrust-VR, rather it has to go through the Untrust Zone... in your case, since the Untrust Zone was bound to the Untrust-VR, there were some additional steps you needed to perform.  Had your Untrust Zone been bound to the Trust-VR which also contained the Trust zone, you would have only needed to configure routing between the Trust-VR and the Vsys-A-VR.  Policies would have been similar however as you would still need to have the traffic go from the Vsys-A-Trust zone to the Untrust zone to the Trust zone and vice-versa.

[TripleDES]

Yes, good clarification.

The reason why I'm doing this in the first place is something isn't working properly when I share the zone outright.  Theoretically, if a zone is shared, it can be accessed through custom virtual systems.

However, for some reason sharing the zones and consequently creating a custom vsys forces IP classification instead of VLAN based classification which brings about a entirely new set of complications.

[screenie.]

Guys,
doesn't this debug output simply means that an interface is missing in the shared zone? Each shared zone should have an interface for routing purposes, if not a real one then at least a loopback if I rember well.

[openking89]

The exact answer, of course, depends on exactly what the two zones are configured - if they're totally disjoint, or they overlap somewhat, or they're nearly identical except for a few corners.

In any case, you can describe it with the phrase 'Bad Juju Happens".

Regards

John

[hdharmaraja]

Guys,
doesn't this debug output simply means that an interface is missing in the shared zone? Each shared zone should have an interface for routing purposes, if not a real one then at least a loopback if I rember well.

Hiya, I have a similar set up and having some issues regarding loopback.

I have created a custom VR in root level and sharing it (VR-intervsys) and have a shared zone (iVSYS) bound to it, hence its zone is shared. Now I am limited to use a physical interface, so I want to use a loopback. How do i go about it?

Would you be able to tell me, where would I define the loopback interface, (root or in vsys) and how about the ip addressing?

[fivefingers8]

the traffic needs to loop through the Untrust zone (as this is typically a shared zone). 

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Problem telnet over Netwo... by jeroenvanassche [Today at 10:11:37 AM]
• SSG-320M Howw to log all ... by x0rerror [Today at 09:58:59 AM]
• www.shoeswarm.com cheap ... by nikewarm [Today at 09:00:47 AM]
• www.shoeswarm.com cheap ... by nikewarm [Today at 08:59:05 AM]
• redundant vpn between 2 s... by rubella [Today at 08:58:26 AM]
• cheap sale ugg 5734 boots... by shoeshive [Today at 08:10:56 AM]
• wholesale cheap Lacoste w... by shoeshive [Today at 08:10:09 AM]
• wholesale cheap Air Jorda... by shoeshive [Today at 08:09:19 AM]
• china sell urban Men Loui... by shoeshive [Today at 08:08:30 AM]
• china wholesale Alife sho... by shoeshive [Today at 08:07:52 AM]

Members

• Total Members: 22472
• Latest: mijones@hotmail.com

Stats

• Total Posts: 40480
• Total Topics: 11163
• Online Today: 73
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 0
Guests: 34
Total: 34