Hi all,
Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....
Here i will give a brief overview of how juniper firewalls handle proxy arp:
As most of you know there are 5 solutions to do NATTING in juniper firewalls:
MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)
So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?
Yes:
-MIP
-VIP
No:
-Dest nat
So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.
Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.
Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!
When will he do it or not:
• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.
• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
0.
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.
Hope this helps you all.
Wednesday, April 23, 2008
Wednesday, April 16, 2008
NSM Error ( Failed during updating License info)
Hi,
While playing a bit with NSM (Netscreen Security Manager), i found a nice bug!
you can't use some chars in the name of the firewall members:
for example: _ and [ or ], possible there are more!
the error you will see when trying to do a update is:
Error Code:
Error Text:
Exception caught during Update Device:
Failed during updating License info
Error Details:
Failed to process the database query. No record matched the query and nothing has been done.
Hope this help some of you!
While playing a bit with NSM (Netscreen Security Manager), i found a nice bug!
you can't use some chars in the name of the firewall members:
for example: _ and [ or ], possible there are more!
the error you will see when trying to do a update is:
Error Code:
Error Text:
Exception caught during Update Device:
Failed during updating License info
Error Details:
Failed to process the database query. No record matched the query and nothing has been done.
Hope this help some of you!
Subscribe to:
Posts (Atom)
wim@securelink.be
Frac @ LinkedIn
Posts
