[j-nsp] Issues with 7.2R1.7 and Firewall Filters
juniper at arnes.si
juniper at arnes.si
Mon Sep 19 10:20:09 EDT 2005
Hi, Laura!
Maybe I was not clear enough, so let me try again...
When a packet from x (_your_ router) exists your router via an external interface, it
first hits into _inbound_ filter on your physical interface and matches the following term:
from {
source-address {
x/32;
}
destination-address {
y/32;
}
protocol gre;
}
Packet from source x hits into filter here:
|
| +<-tun
| | +-^-------+
! v | |
filter| |
ext<---<out-| Juniper |-in<---<int
if. | router | if.
+---------+
A better picture might be:
encapsulated packet going out
^
| packet goes through inbound filter first
out interface<--+ <-- here
|
+---------------|--+
| / |
| Juniper tunnel |
| router PIC/ |
| / |
+------------------+
in interface
^
|
And, when a packets comes from router y, it also hits inbound filter on your physical
interface and matches in:
from {
source-address {
y/32;
}
destination-address {
x/32;
}
protocol gre;
}
That's why
> from {
> source-address {
> y/32;
> x/32;
> }
> destination-address {
> x/32;
> y/32;
> }
> protocol gre;
> }
works for you. Does this clarify the behavior?
Regards,
Matjaz
In-reply-to: Your message dated: Mon, 19 Sep 2005 10:49:38 BST
>
> Matjaz,
>
>
>
> Thanks for your response but I do not have any filters on the external
> interface to block the address space being used. In order to allow the
> external interface on the Juniper to accept incoming GRE packets, I must
> permit 2 source addresses and 2 destination addresses i.e. the tunnel
> endpoints.
>
> Inbound
>
> > > term GRE {
>
> > > from {
>
> > > source-address {
>
> > > y/32;
>
> x/32;
>
> > > }
>
> > > destination-address {
>
> > > x/32;
>
> y/32;
>
> > > }
>
> > > protocol gre;
>
> > > }
>
> > > then {
>
> > > count GRE;
>
> > > log;
>
> > > accept;
>
> However when the packet exits the external physical interface, I only need
> to specify the source address of the tunnel on the juniper and the
> destination address of the tunnel at the remote router. How can this be so?
More information about the juniper-nsp
mailing list