SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-08-2012 01:03
      |   view attached
    I have a Mail server in vlan200; vlan100 is user vlan.
    Vlan200 and vlan100 access Internet via interface PPPoE pp0.0
    Mail server have a public IP (call A.A.A.A) which had routed by my ISP.
    I implement static nat on SRX with public IP A.A.A.A. All packet sent to A.A.A.A is
    translated to B.B.B.B (is local IP of Mail server)

    Outside users and users who using an other PPPoE interface can access the Mail server.
    But users who using same interface pp0.0 can not.

    I've attached my network diagram. So what the trouble with this scene?
    Thanks!

    #PPPoE
    #NAT


  • 2.  RE: Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-11-2012 22:50

    Hi,

     

    How is your static nat match condition configured currently ? Does it include user vlan too ? 

    If you have done the flow trace, that should help us understand the problem much better.



  • 3.  RE: Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-14-2012 19:49

    Thank you for your reply. Here is my configuration. vlan user and mail server use the same default route to internet.

    I will do the flow trace  and the update is coming soon!

    super@BB6-RTN01# show security nat static
    rule-set C42-static-mail {
    from zone untrust;
    rule rule1 {
    match {
    destination-address 121.89.40.105/32;
    }
    then {
    static-nat prefix 172.22.0.10/32;
    }
    }
    }


    super@BB6-RTN01# show routing-options static
    route 172.16.0.0/12 discard;
    route 0.0.0.0/0 {
    qualified-next-hop pp0.0 {
    metric 5;
    }
    qualified-next-hop pp0.4 {
    metric 10;
    }
    }

    super@BB6-RTN01# show security zones security-zone trust
    tcp-rst;
    interfaces {
    ae2.100;
    ae2.200;
    }


    super@BB6-RTN01# show security zones security-zone untrust
    inactive: screen untrust-screen;
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    telnet;
    }
    }
    interfaces {
    pp0.0;
    pp0.1;
    pp0.2;
    pp0.3;
    pp0.4;
    }


    super@BB6-RTN01# show interfaces pp0
    unit 0 {
    ppp-options {
    pap {
    access-profile PPPoE;
    local-name ftthxxxx;
    local-password "$9$gu4GDjHqzn/5T/tp0cSYgoaGikqm"; ## SECRET-DATA
    passive;
    }
    }
    pppoe-options {
    underlying-interface ge-4/0/0.0;
    idle-timeout 0;
    auto-reconnect 10;
    client;
    }
    family inet {
    negotiate-address;
    }
    }

    super@BB6-RTN01# show security policies from-zone trust to-zone untrust
    policy permit-all {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }

    super@BB6-RTN01# show security policies from-zone untrust to-zone trust
    policy static-mail {
    match {
    source-address any;
    destination-address server1;
    application any;
    }
    then {
    permit;
    }
    }

    super@BB6-RTN01# show security zones security-zone trust
    tcp-rst;
    address-book {
    address server1 172.22.0.10/32;
    }



  • 4.  RE: Users can not access Mail server (has IP public) via same PPPoE interface
    Best Answer

    Posted 10-15-2012 13:24

    Hi,

     

    I guess you are using dns resolve your mail server IP to it's public IP address not the private one. So the user use the same pp0 and destination is 121.89.40.105 will use default route to your ISP which will send the traffic back again to your SRX on same link that's why the SRX drop the packet.

     

    For any other PP interface traffic is sent through PP0.4 for example and comeback again from your ISP on PP0.0 so SRX forward the traffic normally as the PKT received from different interface.

     

    1- I will suggest you to add on the static nat from zone trust so it will be like from zone [ trust untrust ];

     

    so static nat will be performed on the SRX itself on LAN side and sent PKT to mail server directly instead go to ISP cloud and return again to your box.

     

    2- Another solution if you are using local DNS add entry on it for your mail server mapped to private IP 172.22.0.10 so user traffic will go directly to your mail server without any nating

     

    Mohamed Elhariry

     

    JNCIE-M/T # 1059, CCNP & CCIP

     

    ----------------------------------------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 5.  RE: Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-23-2012 01:55

    Thank you, Mohamed!

     

    I 've just understood my trouble. It's exactly as you describe. My network hasn't got local DNS so the choice 1 will be my solution.

     

    Im trying fix it. is this configuration enough?

     

     

    super@BB6-RTN01# show security policies from-zone trust to-zone trust      
    policy TC6-permit-mail {
        match {
            source-address 1.1.1.1/32;
            destination-address 172.22.0.10/32;
            application any;
        }
        then {
            permit;
        }
    }
     
     
    [edit security nat destination]
    +     pool xxx {
    +         address 1.1.1.1/32;
    +     }
    [edit security nat destination]
    +     rule-set xx {
    +         from zone trust;
    +         rule r1 {
    +             match {
    +                 destination-address 121.89.40.105/32;
    +             }
    +             then {
    +                 destination-nat pool xxx;
    +             }
    +         }
    +     }


  • 6.  RE: Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-23-2012 03:18

    Hi,

     

    I think you need just one command

     

    # set security nat static rule-set C42-static-mail from zone trust.

     

    and might need policy from zone trust to zone trust to allow traffic into one zone if users and your mail server both in one zone (trust) or separate like dmz zone so from trust to dmz.

     

    Regards,

    Mohamed



  • 7.  RE: Users can not access Mail server (has IP public) via same PPPoE interface

    Posted 10-24-2012 00:33

    Thank you, Mohamed

     

    I've had a mistake with static nat.

    I've already fixed it with static nat and policy.

     

    Thank you very much for your precious help.

    Regards,

    vietht