SRX

Hi Everyone,

I'm having problems making DNAT/Port Forward work on my SRX345 device. I'm trying to make a PPTP connection to be port forwarded to Internal Server.

Dnat Pool = Server .112 and port 1723

SERVER = Server .112 (LAN)

Public IP of SRX = PUBLIC IP .116 (WAN)

Here is the configuration of Nat Destination in SRX.

My testing was successful since it is visible in the hit-count. This just means that there is no error in dnat configuration. See below:

Packet Capture on Server side shows that Public IP was not being translated by SRX. The IP 124.105.26.249 is the Public Address of my test Machine that is trying to connect to Public IP .116 (SRX)

Additional Information:

Server .112 is a directly connected network to SRX.

This was a working PPTP configuration on previous Firewall. Since we changed to SRX, it's not working.

Any ideas that I can check? Thanks!

Hi keiim,

Pcap on server shows, Dnat config is translating the .116 to .112.

Source 124.105.26.249 stays as no SNAT is configured.

If you are looking for translating the x.x.x.249 to internal IP, please configure source nat from the Outside to Inside server direction.

You may SNAT to the SRX interface IP address using keyword "source nat interface".

-Rahul

Hi Rahul,

In a normal Port Forwarding/DNAT scenario, when it is configured in a device. The device "automatically" translate Public IP Address into it's own Internal IP to access the Internal Server. Also the configuration requires to input a "Translated IP Address", which means the IP that the device will use.

So it is different in SRX? That I need to configure Source NAT from OUTSIDE to INSIDE direction?

Hi Keiim,

Yes, The Translated IP in the config is for the destination not source.

Following Juniper documentation defines what you are trying to do & the session you see:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-destination.html

Session ID: 26415, Policy name: server-access/11, Timeout: 2, Valid
  In: 203.0.113.219/30 --> 203.0.113.200/54850;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84
  Out: 192.168.1.200/54850 --> 203.0.113.219/30;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

x.x.113.219 did not change, but 113.200 translated to 1.200

To translate x.x.113.219 we need a seperate source nat rule in the same direction from outside to inside.

Regards,

Rahul

Hi Rahul and Yasmin,

I understand the point and already accepted your first reply as the solution. Thank you all.

-K

Yes, if you want the source address translated as well, you need to configure source NAT from Outside to Inside. It will not happen automatically.