SRX

Expand all | Collapse all

SRX340 problem getting traffic to server via NAT

Jump to Best Answer
  • 1.  SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 15:03

    Context: I'm a Juniper neophyte, but I have a number of years of experience with Cisco

     

    I'm attempting to get traffic passed through our SRX340 to our nginx server that proxies all the traffic to our servers. When I run >show security nat destination rule all it shows zero translation hits. I've compared the destination nat and security policy rules to the vpn server settings (which is working), and cannot figure out why this one is not working.

     

    Here is the relevant config:

    pool nginx-NAT {
        address 192.168.1.200/32;
    }
    rule-set PublicServers {
        from interface reth1.0;
        rule minas-tirith {
            match {
                destination-address 1.1.1.1/32;
            }
            then {
                destination-nat {
                    pool {
                        nginx-NAT;
                    }
                }
            }
        }
    }
    
    from-zone WAN to-zone DMZ {
    
        policy nginx-Policy {
            match {
                source-address any;
                destination-address 192.168.1.200/32;
                application any;
            }
            then {
                permit;
            }
        }
    }
    

    Any thoughts?



  • 2.  RE: SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 15:12

    That should be working, unless you have an issue with the routing that is routing the traffic to the incorrect zone.  I would recommend enabling traceoptions for the traffic flow and the nat.



  • 3.  RE: SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 16:22

    I don't have much experience with traceoptions beyond the KB.

     

    I configured security policies traceoptions flag all, and did not get anything that is hitting the configured public IP.

     

    For nat I did set security nat traceoptions flag all, and there is nothing there that appears to be a problem. It does confirm that proxy-arp has my public IP at least.

     

    Any thoughts?



  • 4.  RE: SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 16:26

    Can you provide the traceoption configuration you did and the logs generated?



  • 5.  RE: SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 16:45

    Well as I was going through redacting my IP information from the logs one of the entries didn't iterate properly according to the pattern (using find/replace). It was then that I discovered that I had mistyped one of the numbers in the IP address in my proxy-arp and missed it all this time.

     

    Thanks for all the help.



  • 6.  RE: SRX340 problem getting traffic to server via NAT
    Best Answer

     
    Posted 08-29-2017 16:07

    Is 1.1.1.1 in the interface range and needing proxy arp?

     

    [edit security nat] set proxy-arp interface reth1.0 address 1.1.1.1 



  • 7.  RE: SRX340 problem getting traffic to server via NAT

    Posted 08-29-2017 16:23

    @spuluka wrote:

    Is 1.1.1.1 in the interface range and needing proxy arp?

     

    [edit security nat] set proxy-arp interface reth1.0 address 1.1.1.1 


    It is, but proxy-arp is already configured. I did miss that in an earlier issue, so I make sure to check that one 🙂