Routing traffic to a virtual system (vsys) in ScreenOS

I would like to add a quick note on how to forward some traffic received from one interface to a vsys configured in a netscreen device. From time to time, I need to do this and I always have to search for it again. This may not be the right way of doing or not suitable for production environments but it works just in my testing. In the example, network in the destination vsys is 10.1.1.0/24.

1) In the below example, I am forwarding traffic received in eth1/1 interface which is in untrust zone and trust-vr. This is important as we should use a shared untrust zone for forwarding and trust-vr

Root device interface output

nsisg2000-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD Vsys
mgt            0.0.0.0/0                         MGT         0010.dbce.c580    -   D   -   Root
eth1/1         172.30.72.126/23                  Untrust     0010.dbce.c587    -   U   -   Root
eth1/3         0.0.0.0/0                         Null        0010.dbce.c589    -   D   -   Root
eth1/4         0.0.0.0/0                         Null        0010.dbce.c58a    -   D   -   Root
eth1/5         0.0.0.0/0                         Null        0010.dbce.c58b    -   D   -   Root
eth1/6         0.0.0.0/0                         Null        0010.dbce.c58c    -   D   -   Root
eth1/7         0.0.0.0/0                         Null        0010.dbce.c58d    -   D   -   Root
eth1/8         0.0.0.0/0                         Null        0010.dbce.c58e    -   D   -   Root
eth2/1         0.0.0.0/0                         Null        0010.dbce.c595    -   D   -   Root
eth4/1         0.0.0.0/0                         Null        0010.dbce.c5a5    -   D   -   Root
vlan1          0.0.0.0/0                         VLAN        0010.dbce.c58f    1   D   -   Root
null           0.0.0.0/0                         Null        N/A               -   U   0   Root

2) Required routes are below. We forward traffic into test-vr which is in test vsys

Root device route output

nsisg2000-> get route
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <untrust-vr> (1 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
          7          0.0.0.0/0           NULL         0.0.0.0   S   20      1     Root

IPv4 Dest-Routes for <trust-vr> (4 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        19          0.0.0.0/0         eth1/1     172.30.72.1   S   20      1     Root
*        17     172.30.72.0/23         eth1/1         0.0.0.0   C    0      0     Root
*        18   172.30.72.126/32         eth1/1         0.0.0.0   H    0      0     Root
*        20        10.1.1.0/24            n/a         test-vr   S   20      0     test

Get zone output:

nsisg2000-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
------------------------------------------------------------------------
  ID Name                             Type    Attr    VR          Default-IF   VSYS
   0 Null                             Null    Shared untrust-vr   null         Root
   1 Untrust                          Sec(L3) Shared trust-vr     ethernet1/1  Root
   2 Trust                            Sec(L3)        trust-vr     null         Root
   3 DMZ                              Sec(L3)        trust-vr     null         Root
   4 Self                             Func           trust-vr     self         Root
   5 MGT                              Func           trust-vr     mgt          Root
   6 HA                               Func           trust-vr     null         Root
  10 Global                           Sec(L3)        trust-vr     null         Root
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root
  14 VLAN                             Func    Shared trust-vr     vlan1        Root
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root
------------------------------------------------------------------------

4) If we look at the return traffic withing test vsys:

If we look at the return traffic, we can see that, we direct return traffic into trust-vr

nsisg2000(test)-> get route
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <test-vr> (3 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr
--------------------------------------------------------------------------------------
*         9          0.0.0.0/0 n/a trust-vr   S   20      0
*         3      10.1.1.150/32         eth1/2         0.0.0.0   H    0      0
*         2        10.1.1.0/24         eth1/2         0.0.0.0   C    0      0

IPv4 Dest-Routes for <untrust-vr> (1 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
          7          0.0.0.0/0           NULL         0.0.0.0   S   20      1     Root

IPv4 Dest-Routes for <trust-vr> (4 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        19          0.0.0.0/0         eth1/1     172.30.72.1   S   20      1     Root
*        17     172.30.72.0/23         eth1/1         0.0.0.0   C    0      0     Root
*        18   172.30.72.126/32         eth1/1         0.0.0.0   H    0      0     Root
*        20        10.1.1.0/24            n/a         test-vr   S   20      0     test

Crucial point is the following output indeed. VSYS device sees untrust zone as if it is directly connected to it, which means without having any policy in the root system, having a policy allowing from untrust zone to Trust-test zone allows traffic flow.

nsisg2000(test)-> get pol id 1
name:"none" (id 1), zone Untrust -> Trust-test,action Permit, status "enabled"
src "Any", dst "Any", serv "ANY"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00000000, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 97804, counter(session/packet/octet) 0/0/0
No Authentication
No User, User Group or Group expression set

If I draw a very stupid graphic, it should be something like this;

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.