SRX

Expand all | Collapse all

Juniper SRX FBF NAT issues

Jump to Best Answer
  • 1.  Juniper SRX FBF NAT issues

    Posted 10-12-2015 21:01
      |   view attached

    Hi, I am getting a issues when using NAT with FBF in my configuration as below.

     

    As attached image. I have an Internal Server (192.168.1.96) using static NAT to external WAN fixed IP (1.1.1.1). If I just use direct setting (no other Internet access), its success.

     

    But after I added another faster WAN access (2.2.2.1) for default Internet access and using other routing-instance (wtt-bb) through FBF for the dedicated server, I cannot access the server from Internet anymore. But the server can successfully using static NAT to access the Internet (I just check IP website that the server got the right WAN IP and trace route using the right port).

     

    Can anyone help? thanks!!

     

    Configuration: 

     

    set interfaces ge-0/0/2 unit 0 family inet address 2.2.2.1/24
    set interfaces ge-0/0/4 unit 0 family inet address 1.1.1.1/24
    set interfaces ge-0/0/6 unit 0 family inet address 192.168.1.254/24
    set interfaces ge-0/0/6 unit 0 family inet filter input serverDedicatedRoute

    set routing-options interface-routes rib-group inet allRoute
    set routing-options static route 0.0.0.0/0 next-hop 2.2.2.254
    set routing-options rib-groups allRoute import-rib inet.0
    set routing-options rib-groups allRoute import-rib wtt-bb.inet.0

    set security nat static rule-set tempTest from interface ge-0/0/4.0
    set security nat static rule-set tempTest rule tempNAT match destination-address 1.1.1.1/32
    set security nat static rule-set tempTest rule tempNAT then static-nat prefix 192.168.1.96/32

    set security policies from-zone untrust to-zone trust policy tempFullAccess match source-address any
    set security policies from-zone untrust to-zone trust policy tempFullAccess match destination-address any
    set security policies from-zone untrust to-zone trust policy tempFullAccess match application any
    set security policies from-zone untrust to-zone trust policy tempFullAccess then permit
    set security policies default-policy permit-all

    set security zones security-zone trust interfaces ge-0/0/6.0
    set security zones security-zone untrust interfaces ge-0/0/4.0
    set security zones security-zone untrust interfaces ge-0/0/2.0

    set firewall filter serverDedicatedRoute term serverService from source-address 192.168.1.96/32
    set firewall filter serverDedicatedRoute term serverService then routing-instance wtt-bb
    set firewall filter serverDedicatedRoute term default then accept

    set routing-instances wtt-bb instance-type forwarding
    set routing-instances wtt-bb routing-options static route 0.0.0.0/0 next-hop 1.1.1.254



  • 2.  RE: Juniper SRX FBF NAT issues

     
    Posted 10-12-2015 21:12

    Hi cy_jerald,

     

    The issue seems to be because the NAT is set for interface.

    Instead try setting it for the zone and it should be able to work.

    The firewall filter always gets hit first even before the nat and other functions kick in.

     

     



  • 3.  RE: Juniper SRX FBF NAT issues

    Posted 10-12-2015 23:28

    Hi Shailesh,

     

    I have changed it to "from zone untrust" but still cannot make it. I wonder if there are any problems due to the routing instance?

     

    wtt-bb.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 20:54:42
    > to 2.2.2.254 via ge-0/0/4.0
    2.2.2.0/24 *[Direct/0] 20:54:42
    > via ge-0/0/2.0
    2.2.2.254/24 *[Local/0] 20:54:42
    Local via ge-0/0/2.0
    192.168.1.0/24 *[Direct/0] 20:54:42
    > via ge-0/0/6.0
    192.168.1.232/32 *[Local/0] 20:54:42
    Local via ge-0/0/6.0
    1.1.1.0/24 *[Direct/0] 20:54:42
    > via ge-0/0/4.0
    1.1.1.254/32 *[Local/0] 20:54:42
    Local via ge-0/0/4.0

     

    Or any other things I can try to test?

    Thanks!!!



  • 4.  RE: Juniper SRX FBF NAT issues

    Posted 10-13-2015 01:26

    Looks like an ARP issue.

     

    Can you please try setting proxy-arp for the desired IP address on your egress/wan facing interface?

     

    REgards,

    Chandu



  • 5.  RE: Juniper SRX FBF NAT issues

    Posted 10-13-2015 03:02

    Hi Chandu,

     

    I have try but with the same result. As if I have not add the routing-instance setting, it goes well. So, may not be the issues of proxy-arp.

     

    I found another interest result. If I updated the static route in route option to include a 0.0.0.0/0 next-hop 1.1.1.1/32, it goes well too...... So, i think the problme are cause by the routing table? or the return path of the NAT from 1.1.1.1/32 go to the wrong WAN link (going to 2.2.2.1/32)?

     

    Hope anyone can help on it..... Thanks!!!!



  • 6.  RE: Juniper SRX FBF NAT issues
    Best Answer

    Posted 10-22-2015 00:29

    Problem solved.

     

    Just change the instance type from forwarding to Virtual-route will solve this issues. Still checking the details on it.

     

    Thanks all!!



  • 7.  RE: Juniper SRX FBF NAT issues

    Posted 04-06-2020 10:02

    Hi Bro,

    Just searched your problem. I have got same problem as yours.  But after I changed routing-instance type from "forwarding" to "virtual-router", the problem was still not solved. 

    Is it only need to change routing-instance type? Could you show me more details? Thanks.