SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

DNAT with secondary IP

  • 1.  DNAT with secondary IP

    Posted 05-28-2021 10:31
    We are using SRX100 firewall. Need to DNAT using secondary WAN IP.
    ISP/WAN interface configured with IP 1.1.1.1/29 (eg ip)
    Need to DNAT traffic coming to 1.1.1.2 port 80 to 192.168.60.62

    I configured DNAT and added proxy-arp as per this doc [SRX] When and how to configure Proxy ARP - Juniper Networks

    Still DNAT is not working. Can anyone help get the DNAT working.

    ------------------------------
    Charles
    ------------------------------


  • 2.  RE: DNAT with secondary IP

    Posted 05-29-2021 05:34
    Proxy arp is just one element of the process.  You also need a destination nat rule and a security policy to permit the traffic.

    See the details starting on page 9 of this examples document.
    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: DNAT with secondary IP

    Posted 05-29-2021 06:43
    Thank you @spuluka
    ofcourse those two are already there.​

    ------------------------------
    Charles
    ------------------------------



  • 4.  RE: DNAT with secondary IP

    Posted 05-29-2021 09:07
    Can you share the config for review on all the elements?
    not the the rule order does matter as well so be sure the policy is in a position to not be overridden by previous matches.  And the order of the nat rules as well.

    You can also look to see if the session and nat are recognized on the srx with looking at how the source traffic is seen in the session table.  This will confirm which rule matches the traffic and what nat occurs.
    show security flow session source-prefix 10.1.1.1/32

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: DNAT with secondary IP

    Posted 05-31-2021 03:19
    root@SRX01# show security nat destination rule-set dst-nat rule att_machine 
    match {
    destination-address 1.1.1.1/32;
    destination-port {
    90;
    }
    }
    then {
    destination-nat {
    pool {
    attendance_machine;
    }
    }
    }

    ------------------------

    root@SRX01# show security nat destination pool attendance_machine 
    address 192.168.10.32/32 port 90;

    ---------------------
    root@KIAL-SRX01# show security nat proxy-arp
    interface ge-0/0/4.0 {
    address {
    1.1.1.1/29;
    }
    }

    -----------------------
    root@SRX01# run show security policies policy-name att_machine_DNAT
    node1:
    --------------------------------------------------------------------------
    From zone: external, To zone: internal
    Policy: att_machine_DNAT, State: enabled, Index: 24, Scope Policy: 0, Sequence number: 3
    Source addresses: any
    Destination addresses: 192.168.10.32, 1.1.1.1
    Applications: 90-TCP, junos-icmp-all, junos-icmp-ping, junos-ping
    Action: permit, log

    ------------------------------
    Charles
    ------------------------------



  • 6.  RE: DNAT with secondary IP

    Posted 05-31-2021 06:16
    For the destination nat rule what are the zone assignment designations.  Here we also need to verify there are no potential matches for the traffic before this desired nat rule in order already configured.

    For the security policy, you are not forwarding icmp only tcp 90 so those are unnecessary or need to be added to the nat rule.
    and the destination public destination address can be removed as unnecessary.  
    We also need to confirm there are not potential matches for the traffic before this security policy.

    The to and from zones are based on the post dnat address as noted in this SRX process flow chart.  

    Making the connection attempt on tcp 90 and looking for the session will also confirm if the traffic is classified and matching any existing policy.  If it is not matching and showing up at all we are not correctly fitting all the tupple matches.


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: DNAT with secondary IP

    Posted 05-31-2021 08:24
    Thank you @spuluka

    For the destination nat rule what are the zone assignment designations.  Here we also need to verify there are no potential matches for the traffic before this desired nat rule in order already configured.
    >>>external to internal
    >>There is no other potential matches before this rule. All rules have destination IP mentioned.

    For the security policy, you are not forwarding icmp only tcp 90 so those are unnecessary or need to be added to the nat rule.
    and the destination public destination address can be removed as unnecessary.  
    >>TCP 90 and ping is the required forwards

    We also need to confirm there are not potential matches for the traffic before this security policy.
    >>There are no other potential matches

    show security flow session source-prefix 10.1.1.1/32 is only showing the RDP connection am doing to the same IP. There is no log when I attempt telnet TCP 90.

    ------------------------------
    Charles
    ------------------------------



  • 8.  RE: DNAT with secondary IP

    Posted 06-02-2021 05:42
    So this means that one of the previous rules in either nat or policy prevent the consideration of this tcp 90 rule that comes later.

    I think the nat is more likely, so we need to exam the nat rules before this one on this same ip address.

    Or another test you can run is move this nat rule before all the others using this ip address so it is evaluated first.  Noting that this might "break" the other rules if the overlap condition is same as this one.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: DNAT with secondary IP

    Posted 06-02-2021 07:55
    Hi @spuluka
    Thanks a lot for your continous help. Attached a diagram of current architecture. The DNAT IP is not configured in any interface, it's just WAN IP pool.

    I moved ​the security and NAT rules to top order, still its the same result.

    ------------------------------
    Charles
    ------------------------------



  • 10.  RE: DNAT with secondary IP

    Posted 06-02-2021 17:52
    Hi Charles:

    Just a thought of something you might try. I see the proxy-arp address you have configured is 1.1.1.1/29, all the docs I have seen relating to proxy-arp use a /32 address. So a suggestion is to try "set security nat proxy-arp interface ge-0/0/4.0 address 1.1.1.2/32" and delete the address 1.1.1.1/29.


    ------------------------------
    Stuart
    ------------------------------



  • 11.  RE: DNAT with secondary IP

    Posted 06-03-2021 08:07
    Thank you @Footy-Smurf
    tried that too, still no luck​​

    ------------------------------
    Charles
    ------------------------------