SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Destination NAT issue

  • 1.  Destination NAT issue

    Posted 08-23-2021 09:49
    Hi, 

    Fairly new to Juniper but I'm having an issue with destination NAT. I have read all the different forums and followed along with no success, a few I read said I needed proxy ARP but when I try to add this I get an error 

    1) Proxy ARP IP address range [207.xxx.xxx.70 207.xxx.xxx.70] overlaps with interface IP address range [207.xxx.xxx.70 207.xxx.xxx.70] defined on interface 'ge-0/0/0.0'


    Any help is massively appreciated. I am waiting for our reseller to activate our support contract with Juniper so I can get the Jtac team to look but that's going to take a few days at least and I need to get it up and running ASAP.

    Set UP:

    ge-0/0/0 - External interface -  207.XXX.XXX.70/24
    ge-0/0/1- Internal interface - 10.0.1.1/24

    Server trying to access 10.0.1.104:443 from 207.XXX.XXX.70:8443

    Config ---

    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool Web_Pool {
    address 10.0.1.104/32 port 443;
    }
    rule-set Web_RS {
    from zone Internet;
    rule Web_RULE {
    match {
    source-address 0.0.0.0/0;
    destination-address 207.xxx.xxx.70/32;
    destination-port {
    8443;
    }
    }
    then {
    destination-nat {
    pool {
    Web_Pool;
    }
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internet {
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone Internal {
    policy Web_Traffic {
    match {
    source-address any;
    destination-address Web;
    application any;
    dynamic-application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone Internal {
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    dhcp;
    }
    }
    }
    }
    }
    security-zone Internet {
    interfaces {
    ge-0/0/0.0;
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 207.xxx.xxx.70/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.0.1.1/24;
    }

    ------------------------------
    GRAEME MCKAY
    ------------------------------


  • 2.  RE: Destination NAT issue

    Posted 08-23-2021 12:57
    Hi Graeme,

    Try by removing 'dynamic-application any' from the security policy and hope the destination-address Web is defined for the private ip 10.0.1.104.  In this case proxy-arp is not required.

    Thanks,
    Nellikka


  • 3.  RE: Destination NAT issue

    Posted 08-23-2021 13:24
    Hi Nellikka, 

    My destination address is currently my external address as the traffic will be hitting g/0/0/0 on 207.xxx.xxx.70 (the outside world) and being natted to 10.0.1.104 (internal web server). From the configuration guides I understood this was how it was supposed to be. Should I try changing the destination to my internal address? ​

    ------------------------------
    GRAEME MCKAY
    ------------------------------



  • 4.  RE: Destination NAT issue

    Posted 08-23-2021 21:14
    Hi Graeme,

    Policy lookup happens after the destination nat. Hence the destination-address Web should be for internal ip 10.0.1.104 address. 

    Thanks,
    Nellikka


  • 5.  RE: Destination NAT issue

    Posted 08-24-2021 09:30

    Thanks for the clarification. I tried changing the destination address but no joy. I see the hits coming on the NAT rule and I see them hitting the address poll but they are all failing.

     

    Graeme






  • 6.  RE: Destination NAT issue

    Posted 08-24-2021 12:27
    Did your remove 'dynamic-application any' from security policy as suggested earlier? if yes and still not working , please collect flow traceoptions and the output file with us

    set security flow traceoptions file flow.log
    set security flow traceoptions file size 20m
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter temp1 source-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp1 source-port 443
    set security flow traceoptions packet-filter temp1 destination-prefix <Internet Source ip>
    set security flow traceoptions packet-filter temp2 destination-prefix 207.XXX.XXX.70
    set security flow traceoptions packet-filter temp2 destination-port 8443
    set security flow traceoptions packet-filter temp2 source-prefix <Internet Source IP>
    set security flow traceoptions packet-filter temp3 destination-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp3 destination-port 443



  • 7.  RE: Destination NAT issue

    Posted 08-24-2021 11:34
    Did you remove the 'dynamic-application any' from the security policy as suggested earlier? if yes and still it is not working, please collect flow traceoptions and share the output file with us:

    set security flow traceoptions file flow.log
    set security flow traceoptions file size 20m
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter temp1 source-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp1 source-port 443
    set security flow traceoptions packet-filter temp1 destination-prefix <Internet Source ip>
    set security flow traceoptions packet-filter temp2 destination-prefix 207.XXX.XXX.70
    set security flow traceoptions packet-filter temp2 destination-port 8443
    set security flow traceoptions packet-filter temp2 source-prefix <Internet Source IP>
    set security flow traceoptions packet-filter temp3 destination-prefix 10.0.1.104
    set security flow traceoptions packet-filter temp3 destination-port 443