Routing traffic to a virtual system (vsys) in ScreenOS
I would like to add a quick note on how to forward some traffic received from one interface to a vsys configured in a netscreen device. From time to time, I need to do this and I always have to search for it again. This may not be the right way of doing or not suitable for production environments but it works just in my testing. In the example, network in the destination vsys is 10.1.1.0/24.
1) In the below example, I am forwarding traffic received in eth1/1 interface which is in untrust zone and trust-vr. This is important as we should use a shared untrust zone for forwarding and trust-vr
Root device interface output
nsisg2000-> get int A - Active, I - Inactive, U - Up, D - Down, R - Ready Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD Vsys mgt 0.0.0.0/0 MGT 0010.dbce.c580 - D - Root eth1/1 172.30.72.126/23 Untrust 0010.dbce.c587 - U - Root eth1/3 0.0.0.0/0 Null 0010.dbce.c589 - D - Root eth1/4 0.0.0.0/0 Null 0010.dbce.c58a - D - Root eth1/5 0.0.0.0/0 Null 0010.dbce.c58b - D - Root eth1/6 0.0.0.0/0 Null 0010.dbce.c58c - D - Root eth1/7 0.0.0.0/0 Null 0010.dbce.c58d - D - Root eth1/8 0.0.0.0/0 Null 0010.dbce.c58e - D - Root eth2/1 0.0.0.0/0 Null 0010.dbce.c595 - D - Root eth4/1 0.0.0.0/0 Null 0010.dbce.c5a5 - D - Root vlan1 0.0.0.0/0 VLAN 0010.dbce.c58f 1 D - Root null 0.0.0.0/0 Null N/A - U 0 Root
2) Required routes are below. We forward traffic into test-vr which is in test vsys
Root device route output
nsisg2000-> get route H: Host C: Connected S: Static A: Auto-Exported I: Imported R: RIP P: Permanent D: Auto-Discovered N: NHRP iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1 E2: OSPF external type 2 trailing B: backup route IPv4 Dest-Routes for <untrust-vr> (1 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys -------------------------------------------------------------------------------------- 7 0.0.0.0/0 NULL 0.0.0.0 S 20 1 Root IPv4 Dest-Routes for <trust-vr> (4 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys -------------------------------------------------------------------------------------- * 19 0.0.0.0/0 eth1/1 172.30.72.1 S 20 1 Root * 17 172.30.72.0/23 eth1/1 0.0.0.0 C 0 0 Root * 18 172.30.72.126/32 eth1/1 0.0.0.0 H 0 0 Root * 20 10.1.1.0/24 n/a test-vr S 20 0 test
Get zone output:
nsisg2000-> get zone Total 14 zones created in vsys Root - 8 are policy configurable. Total policy configurable zones for Root is 8. ------------------------------------------------------------------------ ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr null Root 1 Untrust Sec(L3) Shared trust-vr ethernet1/1 Root 2 Trust Sec(L3) trust-vr null Root 3 DMZ Sec(L3) trust-vr null Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr mgt Root 6 HA Func trust-vr null Root 10 Global Sec(L3) trust-vr null Root 11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root 12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root 13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root 14 VLAN Func Shared trust-vr vlan1 Root 15 V1-Null Sec(L2) Shared trust-vr l2v Root 16 Untrust-Tun Tun trust-vr hidden.1 Root ------------------------------------------------------------------------
4) If we look at the return traffic withing test vsys:
If we look at the return traffic, we can see that, we direct return traffic into trust-vr
nsisg2000(test)-> get route H: Host C: Connected S: Static A: Auto-Exported I: Imported R: RIP P: Permanent D: Auto-Discovered N: NHRP iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1 E2: OSPF external type 2 trailing B: backup route IPv4 Dest-Routes for <test-vr> (3 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr -------------------------------------------------------------------------------------- * 9 0.0.0.0/0 n/a trust-vr S 20 0 * 3 10.1.1.150/32 eth1/2 0.0.0.0 H 0 0 * 2 10.1.1.0/24 eth1/2 0.0.0.0 C 0 0 IPv4 Dest-Routes for <untrust-vr> (1 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys -------------------------------------------------------------------------------------- 7 0.0.0.0/0 NULL 0.0.0.0 S 20 1 Root IPv4 Dest-Routes for <trust-vr> (4 entries) -------------------------------------------------------------------------------------- ID IP-Prefix Interface Gateway P Pref Mtr Vsys -------------------------------------------------------------------------------------- * 19 0.0.0.0/0 eth1/1 172.30.72.1 S 20 1 Root * 17 172.30.72.0/23 eth1/1 0.0.0.0 C 0 0 Root * 18 172.30.72.126/32 eth1/1 0.0.0.0 H 0 0 Root * 20 10.1.1.0/24 n/a test-vr S 20 0 test
Crucial point is the following output indeed. VSYS device sees untrust zone as if it is directly connected to it, which means without having any policy in the root system, having a policy allowing from untrust zone to Trust-test zone allows traffic flow.
nsisg2000(test)-> get pol id 1 name:"none" (id 1), zone Untrust -> Trust-test,action Permit, status "enabled" src "Any", dst "Any", serv "ANY" Rules on this VPN policy: 0 nat off, Web filtering : disabled vpn unknown vpn, policy flag 00000000, session backup: on traffic shaping off, scheduler n/a, serv flag 00 log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 97804, counter(session/packet/octet) 0/0/0 No Authentication No User, User Group or Group expression set
If I draw a very stupid graphic, it should be something like this;