[j-nsp] Issues with 7.2R1.7 and Firewall Filters

juniper at arnes.si juniper at arnes.si
Mon Sep 19 10:20:09 EDT 2005


Hi, Laura!

Maybe I was not clear enough, so let me try again...
When a packet from x (_your_ router) exists your router via an external interface, it
first hits into _inbound_ filter on your physical interface and matches the following term:

from {
   source-address {
      x/32;
   }
   destination-address {
      y/32;
   }
   protocol gre;
}

Packet from source x hits into filter here:
             |
             | +<-tun
             | | +-^-------+
             ! v |         |
           filter|         |
     ext<---<out-| Juniper |-in<---<int
             if. | router  | if.
                 +---------+

A better picture might be:

              encapsulated packet going out
              ^
              |             packet goes through inbound filter first
          out interface<--+ <-- here
                          |
          +---------------|--+
          |              /   |
          |  Juniper tunnel  |
          |  router  PIC/    |
          |            /     |
          +------------------+
          in interface
             ^
             |


And, when a packets comes from router y, it also hits inbound filter on your physical
interface and matches in:

from {
   source-address {
      y/32;
   }
   destination-address {
      x/32;
   }
   protocol gre;
}

That's why

>             from {
>                 source-address {
>                     y/32;
>                     x/32;
>                 }
>                 destination-address {
>                     x/32;
>                     y/32;
>                 }
>                 protocol gre;
>             }

works for you. Does this clarify the behavior?
Regards,

	Matjaz

In-reply-to: Your message dated: Mon, 19 Sep 2005 10:49:38 BST
> 
> Matjaz,
> 
>  
> 
> Thanks for your response but I do not have any filters on the external
> interface to block the address space being used.  In order to allow the
> external interface on the Juniper to accept incoming GRE packets, I must
> permit 2 source addresses and 2 destination addresses i.e. the tunnel
> endpoints. 
> 
> Inbound
> 
> > > term GRE {
> 
> > >             from {
> 
> > >                 source-address {
> 
> > >                     y/32;
> 
>                         x/32;
> 
> > >                 }
> 
> > >                 destination-address {
> 
> > >                     x/32;
> 
>                         y/32;
> 
> > >                 }
> 
> > >                 protocol gre;
> 
> > >             }
> 
> > >             then {
> 
> > >                 count GRE;
> 
> > >                 log;
> 
> > >                 accept;
> 
> However when the packet exits the external physical interface, I only need
> to specify the source address of the tunnel on the juniper and the
> destination address of the tunnel at the remote router.  How can this be so?


More information about the juniper-nsp mailing list