SRX

Expand all | Collapse all

Srx 650 Destination Nat

Jump to Best Answer
  • 1.  Srx 650 Destination Nat

    Posted 12-19-2018 06:41

    Dear team of Juniper,

     

    Recently we have upgraded from Ssg550m to Srx650 "due to motherboard difect , it's end back for fixing"  Anyway.

     

    On SSG 550 destination went through the VIP translation which it's was great and easy to configurate together with RDP and other protocols.

     

    Srx650 it's otherway around , the problem it's whatever it's configurated it's doesn't open any port at all.

     

    I would like to open ports from destination nat and it's goes that way -

     

    Destination Nat > Destination Nat Pool>Destination Rule Set>Rules in selected rule-set>Address Book>Apply Policy and nothing.

     

    Can anyone give some advice what it's missing to open a port from internal to public.

     

    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set nsw_srcnat {
                    from zone internal;
                    to zone Internet;
                    rule nsw-src-interface {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            destination {
                pool Rs1 {
                    address 192.168.1.6/32 port 443;
                }
                rule-set R1 {
                    from zone Internet;
                    rule R2 {
                        match {
                            destination-address 93.109.249.46/32;
                            destination-port 443;
                        }
                        then {
                            destination-nat {
                                pool {
                                    Rs1;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone internal to-zone Internet {
                policy All_internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone internal {
                policy PORT443 {
                    match {
                        source-address any;
                        destination-address RDP;
                        application junos-https;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone internal {
                address-book {
                    address RDP 192.168.1.6/32;
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
            security-zone Internet {
                tcp-rst;
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                http;
                                https;
                                ssh;
                                telnet;
                            }
                        }
                    }
                }
            }
        }
    }

     

    This is the Cli i have so far.

     

    Best Regards.



  • 2.  RE: Srx 650 Destination Nat

    Posted 12-19-2018 06:57

    You need to configure proxy-arp for the public ip used for NAT if it is in the same subnet of ge-0/0/0 interface

    set security nat proxy-arp interface ge-0/0/0.0 address 93.109.249.46/32

     

    For more details: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785

     



  • 3.  RE: Srx 650 Destination Nat

    Posted 12-19-2018 23:46

    I have try to do that as well but alas it doesn't work. On sub /24 it says

     

    There were error(s) delivering the configuration.

    Error(s):
    'address 93.109.249.46/24'

    1) Proxy ARP IP address range [93.109.249.46 93.109.249.255] overlaps with interface IP address range [93.109.249.46 93.109.249.46] defined on interface 'ge-0/0/0.0'
    2) configuration check-out failed

     

    and the same it's on /32

     

    There were error(s) delivering the configuration.

    Error(s):
    'address 93.109.249.46/32'

    1) Proxy ARP IP address range [93.109.249.46 93.109.249.46] overlaps with interface IP address range [93.109.249.46 93.109.249.46] defined on interface 'ge-0/0/0.0'
    2) configuration check-out failed



  • 4.  RE: Srx 650 Destination Nat

    Posted 12-19-2018 23:52

    What is the ip address configured on ge-0/0/0 interface? is it 93.109.249.46? If yes, proxy arp is not required.

     



  • 5.  RE: Srx 650 Destination Nat

    Posted 12-19-2018 23:57

    on ge-0/0/0 interface it's 93.109.249.46 , that's correct.

     

    So if Nat-proxy-arp it's not required , then something else it's missing between private to public ip to open port.

     

    And i am clueless , any advice would be appreciated.



  • 6.  RE: Srx 650 Destination Nat

    Posted 12-20-2018 00:03

    Is flow session getting created when you access 93.109.249.46 on port 443 from Internet?

     

    show security flow session destination-prefix 93.109.249.46



  • 7.  RE: Srx 650 Destination Nat

    Posted 12-20-2018 00:25
      |   view attached

    It shows 0.



  • 8.  RE: Srx 650 Destination Nat

    Posted 12-20-2018 00:37

    Please disable https on ge-0/0/0 interface and check:

    delete security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services https

     

    or use different port on nat rule like 4443

     



  • 9.  RE: Srx 650 Destination Nat

    Posted 12-20-2018 23:00

    Well i have done everything and still nothing , have even try to do exactly as the juniper says but still nothing.

     

    set pool dst-nat-pool-1 address 192.168.1.100 port 80

    set rule-set rs1 from zone untrust set rule-set rs1 rule r1 match destination-address 1.1.1.100

    set rule-set rs1 rule r1 match destination-port 80

    set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

     

    set proxy-arp interface ge-0/0/2.0 address 1.1.1.100 that it's not possible to be set up do to mask overlap it's already set up as interface.

     

    set zones security-zone trust address-book address server-1 192.168.1.100/32

    set policy server-access match source-address any destination-address [server-1] application any

    set policy server-access then permit

    set zones security-zone trust address-book address server-1 192.168.1.100/32

    set policy server-access match source-address any destination-address [server-1] application any set policy server-access then permit

     

    And here is the full CLI config.

     

    ## Last commit: 2018-12-21 04:15:19 GMT+2 by root
    version 12.1X46-D30.2;
    system {
        host-name firewall;
        time-zone GMT+2;
        root-authentication {
            encrypted-password "$1$L7X5V7Q5$X98YIsFqItWMeb7DFKPPr0";
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        name-resolution {
            no-resolve-on-input;
        }
        services {
            telnet;
            web-management {
                http {
                    interface ge-0/0/1.0;
                }
                session {
                    idle-timeout 60;
                }
            }
            dhcp {
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                    router {
                        192.168.1.1;
                    }
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server us.ntp.pool.org;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 93.109.249.46/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 93.109.249.45;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set nsw-srcnat {
                    from zone Trust;
                    to zone Untrust;
                    rule nsw-src-interface {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            destination {
                pool dst-nat-pool-1 {
                    routing-instance {
                        default;
                    }
                    address 192.168.1.1/32 port 80;
                }
                rule-set r1 {
                    from zone Untrust;
                    rule r2 {
                        match {
                            destination-address 93.109.249.46/32;
                            destination-port 80;
                        }
                        then {
                            destination-nat {
                                pool {
                                    dst-nat-pool-1;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Trust to-zone Untrust {
                policy Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Untrust to-zone Trust {
                policy Telnet {
                    match {
                        source-address any;
                        destination-address Server1;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Trust {
                address-book {
                    address Server1 192.168.1.1/32;
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                dhcp;
                                http;
                                telnet;
                            }
                        }
                    }
                }
            }
            security-zone Untrust {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                telnet;
                            }
                        }
                    }
                }
            }
        }
    }

     

    Is there any possiblity , firewall to be defective or malfunction.



  • 10.  RE: Srx 650 Destination Nat

    Posted 12-21-2018 00:45

    What is your internal server ip address? As per the lates configuration, the nat pool ip is same as ge-0/0/1 ip address. The pool ip should be internal server ip. Is the internal server is accessible on port 80 and 443? Are you able to telnet the server ip on those ports from SRX?

     

    Please share below mentioned command output from SRX

     

    show security nat destination summary

    show security nat destination pool all

    show security nat destination rule all

     



  • 11.  RE: Srx 650 Destination Nat

    Posted 12-21-2018 02:41

    Ah sorry about that, it get confusing. Well

     

    ge-0/0/0.0  it's on public ip address  "untrust" zone

    ge-0/0/1.0 it's on private ip address "trust" zone

     

    Configuration at the source nat it's public ip adress , plus the policy it's trust to untrust.

    So far everything works fine , when i try to open port from the source nat it's fine.

     

    The problem is , i am trying to combine source nat with destination nat which refuse to open.

     

    Source Nat it's fine, question is how to combine source with destination Nat.

     

    So far i have done

     

    Destination Pool > private ip with port "80"

    Destination Rule Set>Root From Zone> Untrust>Rule> Public ip with port "80"

    Address Book > private ip

    Policy>Untust to Trust> Source any > Destination address book> applications any> permit.

     

    will upload some pictures as well to be more clear.

     

     



  • 12.  RE: Srx 650 Destination Nat

    Posted 12-21-2018 02:52

    Please share the requested command output from CLI. J-web output will not help much here. Also let me know internal server ip address which you are trying to access from untrust zone (internet)

     

    show security nat destination summary

    show security nat destination pool all

    show security nat destination rule all

     



  • 13.  RE: Srx 650 Destination Nat
    Best Answer

    Posted 12-26-2018 23:25

    Sorry for the late , replay.

     

    This problem it's solved.

     

    Here is a bit of guide for people who are doing it for first time.

     

    1. Address Book "internal Ip"

    2.Applications "create destination and the application"  this is important , do it before you have done the nat pool

    3.Destination Nat Pool "create it"

    4.Destination Nat-rule "create it"

    5.Destination Nat-Set rule "create it"

    6.Policy "Untrust to trust , source any , destination have to point to the address book, application have to point to the one you have create it.

     

    Good luck.