SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Cant connect Static NAT from inside from other zones

  • 1.  Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 05:17

    hi,

     

    i have configured a static nat on our srx and mapped ine of the public ip to internal ip at the zone LAN.
    On the srx there several zones configured and I cant reach that static nat public ip.

     

    Zones are configured on on physical interface  ge-0/0/0.  Each zone is setup on diffrent vlan.

     

    Zones:

    security-zone GROSSE  ge-0/0/0.6

    security-zone DEMO  ge-0/0/0.4

    security-zone LAN ge-0/0/0.5

    security-zone DMZ-QSC ge-0/0/0.2

     

     

    Interfaces:

    ge-0/0/0 {
    vlan-tagging;
    unit 2 {
    vlan-id 2;
    family inet {
    address xxx.xxx.xxx.210/28;

     

    unit 5 {
    description LAN;
    vlan-id 5;
    family inet {
    address 192.168.1.254/24;
    }
    }
    unit 6 {
    description GROSSE;
    vlan-id 6;
    family inet {
    address 192.168.31.254/24;
    }
    }

     

     

    show security nat static:
    rule-set STATIC-3CX {
    from zone untrust;
    rule rule-static-3CX {
    match {
    destination-address xxx.xxx.xxx.212/32;
    }
    then {
    static-nat {
    prefix {
    192.168.1.200/32;

    }
    }
    }
    }
    }

     

    I have tried this https://kb.juniper.net/InfoCenter/index?page=content&id=KB17448&cat=SRX_5800_1&actp=LIST

    but it still not work from other zones.

     

    waiting for some hints.

    regards

    ed



  • 2.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 05:36

    Hi Emeiler,

     

    Can you please modify the static NAT context like the one specified below?

     

    user@host# set security nat static rule-set STATIC-3CX from routing-instance default

    user@host# commit

     

    The above is just an assumption as I don't understand your question. Are you trying to access the Public IP address from the Internal zones(Multiple VLANs) and it needs to be translated using Static NAT to Private IP address? Is that your requirement?

     

    Let me know the behavior.



  • 3.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 07:57

    Hi,

    - Can you validate I am understanding your topology well? Here is a picture of what I am understand:

    STATIC NAT QUESTION.png

    - Can you provide the missing info, and the configuration of your security policies. 

    - Also, can you tell me what is working and what is not?  What I understand is that from the untrust zone you can reach the server, but not from the other zones? 

    - Do you have any other NAT rules? 

     

    Regards,

     



  • 4.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 11:54

    Hello Yasmin,

     

    thank you for your reply.

     

    Here are the missing data.

     

    1. Zone Demo 192.168.11.0/24

     

    2. Physical interface: ge-0/0/5, Enabled, Physical link is Up

    Logical interface ge-0/0/5.0 (Index 85) (SNMP ifIndex 529)
    Flags: Up SNMP-Traps 0x0 Encapsulation: PPP-over-Ethernet
    PPPoE:

    ip 83.xxx.xxx.204

     

    3. Zone Untrust is untrust

     

    If you need more info please let me know

     

    regards

     

    ed



  • 5.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 13:17

    Can you tell me if you have any other NAT rules, and what your policies look like? 



  • 6.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 13:48

    Also, when devices on the other zones try to reach the server, are they using DA = 192.168.1.200 or DA = xxx.xxx.xxx.212? (I think I might know what's going on).

     

    The best way to figure out problems with traffic flow in SRX is to use the packet trace (traceoption flag basic-datapath). That shows you the packet processing step by step (source NAT, policies, routing, and so on) and tells you where the process is failing.  I'll send you an example of how to do that later. 

     

     



  • 7.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 14:31

    I can reach the  public xxx.xxx.xxx.212 or the internal ip ( 192.168.1.200) only from LAN ( 192.168.1.0/24)

    From all other zones I cant reach the public xxx.xxx.xxx.212 or the internal ip ( 192.168.1.200)



  • 8.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 16:00

    Here is the log file:

    ____________________

     

     

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 12144, in hash 32

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 14227, in hash 32

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

    Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 12536, in hash 32

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:<192.168.9.27/61939->192.168.1.200/5001;6,0x0> matched filter pf1:

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:packet [64] ipid = 0, @0x43dce6a4

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43dce480, rtbl_idx = 0

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow process pak fast ifl 81 in_ifp ge-0/0/0.9

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: ge-0/0/0.9:192.168.9.27/61939->192.168.1.200/5001, tcp, flag c2 syn

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: find flow: table 0x523a0ca8, hash 54988(0xffff), sa 192.168.9.27, da 192.168.1.200, sp 61939, dp 5001, proto 6, tok 14, conn-tag 0x00000000

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow_first_create_session

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:First path alloc and instl pending session, natp=0x557b52d8, id=14597

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.9>, out <N/A> dst_adr 192.168.1.200, sp 61939, dp 5001

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: chose interface ge-0/0/0.9 as incoming nat if.

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.200(5001)

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 90194327813 implicit mask(0x0), service request(0x0)

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:-jsf : no plugin ingress interested for session 90194327813
    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.9.27, x_dst_ip 192.168.1.200, in ifp ge-0/0/0.9, out ifp N/A sp 61939, dp 5001, ip_proto 6, tos 0

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:Doing DESTINATION addr route-lookup

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.200, iifl 0x51, oifl 0x4d

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: routed (x_dst_ip 192.168.1.200) from HOME (ge-0/0/0.9 in 0) to ge-0/0/0.5, Next-hop: 192.168.1.200

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:Policy lkup: vsys 0 zone(14:HOME) -> zone(8:LAN) scope:0

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: app 33, timeout 1800s, curr ageout 20s

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: packet dropped, denied by policy

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: packet dropped, policy deny.

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_initiate_first_path: first pak no session

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow find session returns error.

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_proc_rc: -1.

    Aug 26 00:56:39 00:56:39.347189:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:<192.168.9.27/61939->192.168.1.200/5001;6,0x0> matched filter pf1:

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:packet [64] ipid = 0, @0x43dc5ea4

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43dc5c80, rtbl_idx = 0

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow process pak fast ifl 81 in_ifp ge-0/0/0.9

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: ge-0/0/0.9:192.168.9.27/61939->192.168.1.200/5001, tcp, flag 2 syn

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: find flow: table 0x523a0ca8, hash 54988(0xffff), sa 192.168.9.27, da 192.168.1.200, sp 61939, dp 5001, proto 6, tok 14, conn-tag 0x00000000

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow_first_create_session

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_create_session: Found invalid sess. Start first path

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:First path alloc and instl pending session, natp=0x55756fa8, id=13855

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.9>, out <N/A> dst_adr 192.168.1.200, sp 61939, dp 5001

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: chose interface ge-0/0/0.9 as incoming nat if.

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.200(5001)

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 90194327071 implicit mask(0x0), service request(0x0)

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:-jsf : no plugin ingress interested for session 90194327071
    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.9.27, x_dst_ip 192.168.1.200, in ifp ge-0/0/0.9, out ifp N/A sp 61939, dp 5001, ip_proto 6, tos 0

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:Doing DESTINATION addr route-lookup

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.200, iifl 0x51, oifl 0x4d

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: routed (x_dst_ip 192.168.1.200) from HOME (ge-0/0/0.9 in 0) to ge-0/0/0.5, Next-hop: 192.168.1.200

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:Policy lkup: vsys 0 zone(14:HOME) -> zone(8:LAN) scope:0

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:Policy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: app 33, timeout 1800s, curr ageout 20s

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, denied by policy

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, policy deny.

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_initiate_first_path: first pak no session

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow find session returns error.

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_proc_rc: -1.

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)



  • 9.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 17:40

    The log is showing that the default-policy is denying the traffic.

     

    That means the traffic is NOT matching the policy that is supposed to allow it.  Make sure that your policy matches on the correct source and destination address and port number (pre or post translation). 

     

    NAT STEPS.png



  • 10.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 18:07

    And your solution might actually be what you need. Here is what I think might be your problem and how it is typically solved. 

    Picture5.png

    Picture6.png

    Regards,



  • 11.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-26-2019 03:24

    thank you for your help



  • 12.  RE: Cant connect Static NAT from inside from other zones

     
    Posted 08-25-2019 17:46

    Hi emeiler,

     

    Your NAT is configured correctly, except for the traffic coming from LAN (I will explain later).

     

    rule-set inbound {
    from interface [ ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 ];
    rule rule-inbound {
    match {
    destination-address xxx.xxx.xxx.212/32;
    }
    then {
    static-nat {
    prefix {
    192.168.1.200/32;
    }

     

    With the above configuration traffic destined to xxx.xxx.xxx.212 and being received via interfaces ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 will be sent to 192.168.1.200. However your security-policies might be dropping the post translated traffic. At least it is the case with the traces that you uploaded:

     

    Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)
    
    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6
    
    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: app 33, timeout 1800s, curr ageout 20s
    
    Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, denied by policy

     

    However, in these traces traffic is destined to 192.168.1.200 and not to the public IP. 

     

    For the traffic to work properly please make sure you have a security-policy permitting the post natted traffic. For example, from zone GROSSE to zone LAN:

     

    set security policy from zone GROSSE to zone LAN policy PERMIT match source-address GROSSE_SUBNET destination-adress xxx.xxx.xxx.212 application any

     

    Try that and get the traces for this comunication to confirm if there is any other problem.

     



  • 13.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 19:08

    many thanks you for your help.

    You have sent me the securoty policy.  What will be the diffrence if I would make the destination address to the local IP?

    set security policy from zone GROSSE to zone LAN policy PERMIT match source-address GROSSE_SUBNET destination-adress 192.168.1.200 application any

     I did it this way and it is working.

     

    regards

     

    e



  • 14.  RE: Cant connect Static NAT from inside from other zones
    Best Answer

     
    Posted 08-25-2019 19:34
    Sorry actually you needed to specify the internal address as "destination-address". Destination NAT occurs before the security-policy processing hence if your PC sends packets to the public IP you need to make sure your policy has the internal IP as "destination-address" because by the time the packet is evaluated against the security-policy it will already have the internal address (post NAT).

    I'm glad it worked


  • 15.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 14:24

    Hi. 

     

    here is the secure nat:

     

    I have added as quick and dirty solution a secure policy between GROSSE and LAN and allow this way that the PC's from zone GROSSE can reach the mapped IP 192.168.1.200.

     

    But this is just a solution until we know how to setup the correct way.

     

    regards

     

    ed

     

    root@SRX300# show security nat


    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set NAT-RULESET {
    from zone [ DEMO DMZX GROSSE HOME LAN NAT ];
    to zone untrust;
    rule NAT-RULESET-RULE {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set trust-to-trust {
    from zone trust;
    to zone trust;
    rule rule-trust {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool EXCHANGE {
    address 192.168.1.212/32 port 25;
    }
    pool EXCHANGE-HTTPS {
    address 192.168.1.212/32 port 443;
    }
    pool VTIGER {
    address 192.168.10.120/32 port 80;
    }
    pool GROSSE_RDP {
    address 192.168.31.242/32 port 3389;
    }
    pool VTIGER_SSH {
    address 192.168.10.120/32 port 60122;
    }
    pool dst-pool-GROSSE-mail {
    address 192.168.31.242/32 port 3389;
    }
    pool dst-pool-3CX {
    address 192.168.1.200/32;
    }
    rule-set EXCHANE {
    from zone untrust;
    rule SMTP {
    match {
    source-address 0.0.0.0/0;
    destination-address 83.xxx.xxx.204/32;
    destination-port {
    25;
    }
    }
    then {
    destination-nat {
    pool {
    EXCHANGE;
    }
    }
    }
    }
    rule HTTPS {
    match {
    source-address 0.0.0.0/0;
    destination-address 83.xxx.xxx.204/32;
    destination-port {
    443;
    }
    }
    then {
    destination-nat {
    pool {
    EXCHANGE-HTTPS;
    }
    }
    }
    }
    rule HTTP {
    match {
    source-address 0.0.0.0/0;
    destination-address 83.xxx.xxx.204/32;
    destination-port {
    80;
    }
    }
    then {
    destination-nat {
    pool {
    VTIGER;
    }
    }
    }
    }
    rule GROSSE_RDP {
    match {
    source-address 0.0.0.0/0;
    destination-address 83.xxx.xxx.204/32;
    destination-port {
    3389;
    }
    }
    then {
    destination-nat {
    pool {
    GROSSE_RDP;
    }
    }
    }
    }
    rule VTIGER_SSH {
    match {
    source-address 0.0.0.0/0;
    destination-address 83.xxx.xxx.204/32;
    destination-port {
    60122;
    }
    }
    then {
    destination-nat {
    pool {
    VTIGER_SSH;
    }
    }
    }
    }
    rule dst-rule-GROSSE-mail {
    match {
    source-address 0.0.0.0/0;
    destination-address xxx.xxx.xxx.211/32;
    destination-port {
    3389;
    443;
    25;
    }
    }
    then {
    destination-nat {
    pool {
    dst-pool-GROSSE-mail;
    }
    }
    }
    }
    rule dst-rule-3CS {
    match {
    source-address 0.0.0.0/0;
    destination-address xxx.xxx.xxx.213/32;
    destination-port {
    5001;
    5060;
    5061;
    5090;
    9000 to 10999;
    }
    }
    then {
    destination-nat {
    pool {
    dst-pool-3CX;
    }
    }
    }
    }
    }
    rule-set dst-ruleset-LAN {
    from zone LAN;
    rule dst-rule-LAN-rdp {
    match {
    source-address 0.0.0.0/0;
    destination-address 192.168.31.241/32;
    destination-port {
    3389;
    }
    }
    then {
    destination-nat {
    off;
    }
    }
    }
    }
    }
    static {
    rule-set STATIC-3CX {
    from zone untrust;
    rule rule-static-3CX {
    match {
    destination-address xxx.xxx.xxx.212/32;
    }
    then {
    static-nat {
    prefix {
    192.168.1.200/32;
    }
    }
    }
    }
    }
    rule-set inbound {
    from interface [ ge-0/0/0.5 ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 ];
    rule rule-inbound {
    match {
    destination-address xxx.xxx.xxx.212/32;
    }
    then {
    static-nat {
    prefix {
    192.168.1.200/32;
    }
    }
    }
    }
    }
    }



  • 16.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 12:01

    Hi,

     

    thank you for your reply.

     

    We have diffrent internal zones. Pc's from all zones need to acces the static public ip to be able to use the voip.

    Now only PC's from LAN (192.168.1.0/24) can access this static nat ip because the mapped address is assigned to the internal ip (192.168.1.200/32) from the LAN zone.

     

    I will try your suggestion an let your know.

     

    regards

     

    ed

     



  • 17.  RE: Cant connect Static NAT from inside from other zones

    Posted 08-25-2019 12:11

    Hi noobmaster,

     

    the modification did not work out.

    the problem still exists.

     

    regards

    Ed