SRX

Expand all | Collapse all

Juniper SRX - Destination NAT not translating

Jump to Best Answer
  • 1.  Juniper SRX - Destination NAT not translating

    Posted 04-08-2019 03:25

    Hi Everyone,

     

    I'm having problems making DNAT/Port Forward work on my SRX345 device. I'm trying to make a PPTP connection to be port forwarded to Internal Server.

     

    Dnat Pool = Server .112 and port 1723

    SERVER = Server .112 (LAN)

    Public IP of SRX = PUBLIC IP .116 (WAN)

     

    Here is the configuration of Nat Destination in SRX.

    DNAT configuration - edited.PNG.jpg

     

    My testing was successful since it is visible in the hit-count. This just means that there is no error in dnat configuration. See below:

    DNAT hit-count - edited.PNG

     

    Packet Capture on Server side shows that Public IP was not being translated by SRX. The IP 124.105.26.249 is the Public Address of my test Machine that is trying to connect to Public IP .116 (SRX)

    PACKET CAPTURE - AFPS.png

     

     

    Additional Information:

    Server .112 is a directly connected network to SRX.

    This was a working PPTP configuration on previous Firewall. Since we changed to SRX, it's not working.

     

     

    Any ideas that I can check? Thanks!



  • 2.  RE: Juniper SRX - Destination NAT not translating
    Best Answer

    Posted 04-08-2019 03:55

    Hi keiim,

     

    Pcap on server shows, Dnat config is translating the .116 to .112.

    Source 124.105.26.249 stays as no SNAT is configured.

     

    If you are looking for translating the x.x.x.249 to internal IP, please configure source nat from the Outside to Inside server direction.

    You may SNAT to the SRX interface IP address using keyword "source nat interface".

     

    -Rahul



  • 3.  RE: Juniper SRX - Destination NAT not translating

    Posted 04-08-2019 04:56

    Hi Rahul,

     

    In a normal Port Forwarding/DNAT scenario, when it is configured in a device. The device "automatically" translate Public IP Address into it's own Internal IP to access the Internal Server. Also the configuration requires to input a "Translated IP Address", which means the IP that the device will use.

     

    So it is different in SRX? That I need to configure Source NAT from OUTSIDE to INSIDE direction?

     

     

     



  • 4.  RE: Juniper SRX - Destination NAT not translating

    Posted 04-08-2019 06:40

    Hi Keiim,

     

    Yes, The Translated IP in the config is for the destination not source.

     

    Following Juniper documentation defines what you are trying to do & the session you see:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-destination.html

     

    [edit]
    user@host# show security nat
    destination {
    pool dst-nat-pool-1 {
    address 192.168.1.200/32;
    }
    rule-set rs1 {
    from interface ge-0/0/0.0;
    rule r1 {
    match {
    destination-address 203.0.113.200/32;
    }
    then {
    destination-nat pool dst-nat-pool-1;
    }
    }
    }
    }
    proxy-arp {
    interface ge-0/0/0.0 {
    address {
    203.0.113.200/32;
    }
    }
    }

     

     

    Session ID: 26415, Policy name: server-access/11, Timeout: 2, Valid
      In: 203.0.113.219/30 --> 203.0.113.200/54850;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84
      Out: 192.168.1.200/54850 --> 203.0.113.219/30;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

     

    x.x.113.219 did not change, but 113.200 translated to 1.200

     

    To translate x.x.113.219 we need a seperate source nat rule in the same direction from outside to inside.

     

    Regards,

     

    Rahul



  • 5.  RE: Juniper SRX - Destination NAT not translating

    Posted 04-09-2019 21:18

    Hi Rahul and Yasmin,

     

    I understand the point and already accepted your first reply as the solution. Thank you all.

     

    -K

     

     



  • 6.  RE: Juniper SRX - Destination NAT not translating

     
    Posted 04-08-2019 09:07

    Yes, if you want the source address translated as well, you need to configure source NAT from Outside to Inside. It will not happen automatically.