10-12-2011 01:37 AM - edited 03-07-2019 02:45 AM
Hello folks,
I have a requirement to open up HTTPS world from internet to one of the url from internet. the public IP is 73.109.101.80 which is natted to 10.10.10.80 and i created the policy on juniper firewall from untrust Any to Trust 73.109.101.80 with port 443.
But when i try to hit the IP or URL the traffic is not reaching to firewall. Before reaching to firewall the traffic from internet should reach first to border router (BR) then reaches to front office router (FOR). We have three firewall clusters (Fw01/02), (Fw03/04) and (Fw05/06) ... The above policy is added into Fw05/06. Below is the config for BR and FOR for your reference. Need your extertise in this as the traffic is not reaching to firewall.
Please let me know what output required from these BR and FOR, i'll provide them to fix this issue
Kindly help in this regard.
BR#
router ospf 1
router-id 10.8.9.1
log-adjacency-changes
auto-cost reference-bandwidth 1000
area 0 authentication
passive-interface default
no passive-interface Port-channel2
no passive-interface Port-channel3
network 10.8.9.0 0.0.0.3 area 0
network 10.8.9.8 0.0.0.7 area 0
network 10.8.9.16 0.0.0.7 area 0
default-information originate metric 10 metric-type 1
!
router bgp 10753
no synchronization
bgp log-neighbor-changes
network 73.109.94.0 mask 255.255.255.0
network 73.109.101.0 mask 255.255.255.0
network 73.109.101.51 mask 255.255.255.255
network 73.109.101.52 mask 255.255.255.255
network 73.109.101.92 mask 255.255.255.192
neighbor 4.9.38.33 remote-as 356
neighbor 4.9.38.33 next-hop-self
neighbor 4.9.38.33 remove-private-as
neighbor 4.9.38.33 soft-reconfiguration inbound
neighbor 4.9.38.33 prefix-list level3-in in
neighbor 4.9.38.33 prefix-list level3-out out
neighbor 10.8.9.2 remote-as 1753
neighbor 10.8.9.2 next-hop-self
neighbor 10.50.25.41 remote-as 2870
neighbor 10.50.25.41 soft-reconfiguration inbound
neighbor 10.50.25.41 prefix-list N-CUSTOMER-IN in
neighbor 10.50.25.41 prefix-list S3_AND_S5 out
!
ip route 73.109.94.0 255.255.255.0 Null0
ip route 73.109.94.0 255.255.255.192 216.168.227.38
ip route 73.109.94.64 255.255.255.192 216.168.227.42
ip route 73.109.94.128 255.255.255.192 10.58.39.10
ip route 73.109.94.92 255.255.255.192 216.168.227.42
ip route 73.109.101.0 255.255.255.0 Null0
ip route 73.109.101.51 255.255.255.255 10.8.9.18
ip route 73.109.101.52 255.255.255.255 10.8.9.18
ip route 73.109.101.92 255.255.255.192 10.8.9.18
ip prefix-list N-CUSTOMER-IN seq 205 permit 73.109.96.128/25
ip prefix-list N-CUSTOMER-IN seq 207 permit 73.109.98.128/25
ip prefix-list N-CUSTOMER-IN seq 209 permit 73.109.100.128/25
ip prefix-list N-CUSTOMER-IN seq 211 permit 73.109.103.128/25
ip prefix-list N-CUSTOMER-IN seq 212 permit 73.109.95.128/25
ip prefix-list N-CUSTOMER-IN seq 213 permit 73.109.99.128/25
ip prefix-list S3_AND_S5 seq 5 permit 73.109.101.0/24
ip prefix-list S3_AND_S5 seq 15 permit 73.109.101.51/32
ip prefix-list S3_AND_S5 seq 16 permit 73.109.101.52/32
ip prefix-list S3_AND_S5 seq 20 permit 73.109.101.92/26
ip prefix-list S3_AND_S5 seq 25 permit 73.109.94.0/24
ip prefix-list DC-out seq 150 permit 73.109.101.0/24
!
interface TenGigabitEthernet6/4
description ISP-CONNECTION
ip address 4.9.38.34 255.255.255.252
ip access-group 101 in
no cdp enable
end
!
sh access-list 101 | inc 443
520 permit tcp any any eq 443 (55399 matches)
!
-------------------------------------------------------------------------------------------------------------------------------------------
FOR#
interface Vlan73
ip address 73.109.101.9 255.255.255.128
standby 73 ip 73.109.101.1
standby 73 priority 125
!
interface Vlan75
ip address 73.109.101.130 255.255.255.128
standby 75 ip 73.109.101.129
standby 75 priority 125
!
interface Port-channel3
description FW05/06 UNTRUST AGG1
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 73,75
!
router ospf 1
router-id 10.8.7.9
log-adjacency-changes
auto-cost reference-bandwidth 1000
area 0 authentication
passive-interface Vlan11
passive-interface Vlan12
network 8.1.66.0 0.0.0.127 area 0
network 10.8.0.0 0.0.0.3 area 0
network 10.8.7.0 0.0.0.15 area 0
network 10.8.9.16 0.0.0.7 area 0
network 73.109.101.0 0.0.0.255 area 0
!
Thanks
-Ahmed
10-12-2011 03:06 AM
Ahmed
Can you post -
From the BOR -
1) sh ip route | include 73.109.101
2) sh ip bgp neigh 4.9.38.33 advertised routes | include 73.109.101
From the FOR -
1) sh ip opsf neigh
2) sh ip route | include 73.109.101
Jon
10-12-2011 03:58 AM
Ahmed
on BOR -
neighbor 4.9.38.33 prefix-list level3-out out
i'm assuming the ISP address is 4.9.8.33. If so can you post the prefix-list level3-out as you haven't included this in the config you posted.
Jon
10-12-2011 05:39 AM
Hello Ahmed,
I'm not sure here you'r doing nat, but on the BR, there's no static route to 73.109.101.80 besides the discard to Null0. As Jon pointed it, can you post the various sh ip route requested?
regards
10-12-2011 09:00 AM
Anne
Yes, this is a bit weird because i'm not sure what those specific /32 routes are doing. There is a /24 to Null0 for that network so it can be advertised via EBGP but the BOR should be receiving 2 x /25s for the same network from the FOR switch via OSPF and as these are longer prefixes they should override the Null0 route.
The /32s suggest something isn't workign quite right although it could be the prefix-list as well which i think has not been posted yet.
We'll wait and see i guess
Jon
10-12-2011 09:11 AM
Let's wait and see...
10-14-2011 01:37 AM
Thank you so much for your response Jon, Anne i really appreciate your response.
I did figured it out, the traffic flow is in such a way that, if the request from internet hit to IP 73.109.101.80 from outside it should goes from BR to FOR then to FW and that FW has public IP 73.109.101.80 NATTED with VIP IP 10.10.10.80 and the firewall will pass the request to Core Router and then it passes to LB where the VIP recides 10.10.10.80 and then should pass to real servers. Those real servers has the default gateway pointing to LB and LB's default gateway pointing to Core switch but the core switch default gateway is pointing to backoffice router instead of firewall and response is passing through the backoffice router and from there nowhere. This is the production setup i don't know how they setup and I am the new engineer working on this setup. For testing i added static route on Coreswitch destined to my internet IP pointing to firewall as an exit and after that I am able to reach the IP from my machine to 73.109.101.80.
Therefore now I am in process of changing the default route on core switch pointing to firewall instead of backoffice router but before doing that I need to check what are all the traffic passing through backoofice router. It seems, through ACL logging I can identify what traffic sourcing from 10.10.10.0/24 network is passing towards backoffice.
Any suggestions how to confgure for acl logging on Backoffice router sourcing from 10.10.10.0/24.
I came with the below config:
ip access-list extended 10.10.10.0/24_subnet_sourcetraffic
permit ip 10.10.10.0 255.255.255.0 any log
is the above config correct to log the traffic?
thanks
Ahmed
10-14-2011 03:23 AM
Ahmed
If you are are logging acls on the 6500 then you need to use OAL (Optimised ACL Logging) or else all packets that are logged will done in software. See this link for details -
As for the default-route you need to be careful when changing it. Presumably it was setup for a reason so you need to be sure what it was set for. For example it may be that other networks use this default-route or it may be they don't want the default-route pointing to the firewall.
Jon
10-15-2011 02:56 AM
Hi Jon,
Thank you for looking into this, I am looking to proceed with OAL to capture the traffic passing from BO-router. I have a question regarding OAL, will OAL capture all the TCP port traffic as well once its been configured, will it effect or break anything while configuring OAL. Curies since its a production network. Yes I want to take precautions while waying it off default route pointing to some other router. Its one of the project in my list that need to be completed this month before holidays start.
Its a long story that default route is pointing to different router.
Here I'll try to explain or give you a little bit background. We have different products running in datacenter and have different SILO's (Small infrastructure which is seperate from each silo's) for different products.
The one which i was talking about in the above thread was SILO-A Core router which has default route pointing to CORE-SILOB and these SILO-A and SILO-B has connectivity through BO-router. Attaching the config for your reference. SILO-B was built first before SILO-A. earlier engineer 2 years back has setup the silo-A and for outbound connections from silo-A servers has routed from SILO-B for testing purpose but he left in between and the other engineers has setup the production traffic in the same way and now that SILO-B is waving off soon and now we need to bring back the outbound connection from SILO-B to Silo-A as well.
Hope i tried to explain clearly.
Based on the config attached will the below config of OAL will help in tracking what are all the IPs the traffic is passing through the CORE-SILOA to Core-SILOB through BO-Router.
I think the best to logging the traffic is on BO-router interface which has the connectivity to SILO-A core router.
Much appreciate your help and guidance in this regard:
R-BO#interface Port-channel1
description R-BO <-> Core-SILOA
logging ip access-list cache in
logging ip access-list cache out
--------------------------------------OR (I found another ACL loggin config)-------------------------------
l
R-BO#config t
logging buffered 15000 (this creates a large enough buffer to look at locally on the router,or you can configure the router to log the ACL matches to a Syslog server).
access-list 101 permit tcp any gt 0 any gt 0 log
access-list 101 permit udp any gt 0 any gt 0 log
access-list 101 permit icmp any any
access-list 101 permit ip any any log
interface Port-channel1
description R-BO <-> Core-SILOA
ip access-group 101 in
Let me know what you think about the two configs, which one you suggest me to go with. I hope both config will not effect any production network or break anything
Thank you,
Ahmed
10-15-2011 03:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide