SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Destination NAT issue

    Posted 08-23-2021 09:49
    Hi, 

    Fairly new to Juniper but I'm having an issue with destination NAT. I have read all the different forums and followed along with no success, a few I read said I needed proxy ARP but when I try to add this I get an error 

    1) Proxy ARP IP address range [207.xxx.xxx.70 207.xxx.xxx.70] overlaps with interface IP address range [207.xxx.xxx.70 207.xxx.xxx.70] defined on interface 'ge-0/0/0.0'


    Any help is massively appreciated. I am waiting for our reseller to activate our support contract with Juniper so I can get the Jtac team to look but that's going to take a few days at least and I need to get it up and running ASAP.

    Set UP:

    ge-0/0/0 - External interface -  207.XXX.XXX.70/24
    ge-0/0/1- Internal interface - 10.0.1.1/24

    Server trying to access 10.0.1.104:443 from 207.XXX.XXX.70:8443

    Config ---

    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool Web_Pool {
    address 10.0.1.104/32 port 443;
    }
    rule-set Web_RS {
    from zone Internet;
    rule Web_RULE {
    match {
    source-address 0.0.0.0/0;
    destination-address 207.xxx.xxx.70/32;
    destination-port {
    8443;
    }
    }
    then {
    destination-nat {
    pool {
    Web_Pool;
    }
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internet {
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone Internal {
    policy Web_Traffic {
    match {
    source-address any;
    destination-address Web;
    application any;
    dynamic-application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone Internal {
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    dhcp;
    }
    }
    }
    }
    }
    security-zone Internet {
    interfaces {
    ge-0/0/0.0;
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 207.xxx.xxx.70/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.0.1.1/24;
    }

    ------------------------------
    GRAEME MCKAY
    ------------------------------


  • 2.  RE: Destination NAT issue

    Posted 08-23-2021 12:57
    Hi Graeme,

    Try by removing 'dynamic-application any' from the security policy and hope the destination-address Web is defined for the private ip 10.0.1.104.  In this case proxy-arp is not required.

    Thanks,
    Nellikka


  • 3.  RE: Destination NAT issue

    Posted 08-23-2021 13:24
    Hi Nellikka, 

    My destination address is currently my external address as the traffic will be hitting g/0/0/0 on 207.xxx.xxx.70 (the outside world) and being natted to 10.0.1.104 (internal web server). From the configuration guides I understood this was how it was supposed to be. Should I try changing the destination to my internal address? ​

    ------------------------------
    GRAEME MCKAY
    ------------------------------



  • 4.  RE: Destination NAT issue

    Posted 08-23-2021 21:14
    Hi Graeme,

    Policy lookup happens after the destination nat. Hence the destination-address Web should be for internal ip 10.0.1.104 address. 

    Thanks,
    Nellikka


  • 5.  RE: Destination NAT issue

    Posted 08-24-2021 09:30

    Thanks for the clarification. I tried changing the destination address but no joy. I see the hits coming on the NAT rule and I see them hitting the address poll but they are all failing.

     

    Graeme






  • 6.  RE: Destination NAT issue

    Posted 08-24-2021 11:34
    Did you remove the 'dynamic-application any' from the security policy as suggested earlier? if yes and still it is not working, please collect flow traceoptions and share the output file with us:

    set security flow traceoptions file flow.log
    set security flow traceoptions file size 20m
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter temp1 source-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp1 source-port 443
    set security flow traceoptions packet-filter temp1 destination-prefix <Internet Source ip>
    set security flow traceoptions packet-filter temp2 destination-prefix 207.XXX.XXX.70
    set security flow traceoptions packet-filter temp2 destination-port 8443
    set security flow traceoptions packet-filter temp2 source-prefix <Internet Source IP>
    set security flow traceoptions packet-filter temp3 destination-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp3 destination-port 443




  • 7.  RE: Destination NAT issue

    Posted 08-24-2021 12:27
    Did your remove 'dynamic-application any' from security policy as suggested earlier? if yes and still not working , please collect flow traceoptions and the output file with us

    set security flow traceoptions file flow.log
    set security flow traceoptions file size 20m
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter temp1 source-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp1 source-port 443
    set security flow traceoptions packet-filter temp1 destination-prefix <Internet Source ip>
    set security flow traceoptions packet-filter temp2 destination-prefix 207.XXX.XXX.70
    set security flow traceoptions packet-filter temp2 destination-port 8443
    set security flow traceoptions packet-filter temp2 source-prefix <Internet Source IP>
    set security flow traceoptions packet-filter temp3 destination-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp3 destination-port 443