SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Issue with DNAT/Security Policy for port forwarding

    Posted 10-10-2021 20:07
    Greetings!

    I am having issues when trying to set up my reverse proxy with a load balancer. I can see that I'm getting hit counts on my destination nat but I'm not showing any traffic being sent across my firewall zones to the vlb. I've looked at this for awhile and I can't seem to find what's blocking the traffic, I have more experience on an ASA where I can run a packet tracer to figure where I'm getting stuck. Any help would be much appreciated!

    mike@VFW> show security nat destination pool HTTPS

    Pool name : HTTPS
    Pool id : 2
    Total address : 1
    Translation hits: 66
    Address range Port
    192.168.115.200 - 192.168.115.200 443

    mike@VFW> ...from-zone untrust to-zone Production detail
    Policy: allow-https, action-type: permit, State: enabled, Index: 13, Scope Policy: 0
    Policy Type: Configured
    Sequence number: 1
    From zone: untrust, To zone: Production
    Source addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
    Destination addresses:
    test(global): PublicIP/32
    VLB01-VIP1(global): 192.168.115.200/32
    Application: junos-https
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
    Source port range: [0-0]
    Destination port range: [443-443]
    Application: HTTPS
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
    Source port range: [0-0]
    Destination port range: [443-443]
    Per policy TCP Options: SYN check: No, SEQ check: No
    Session log: at-create, at-close


    mike@VFW> show configuration security
    address-book {
    global {
    address VLB01 192.168.115.5/32;
    address VLB01-VIP1 192.168.115.200/32;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone [ Lab Production trust ];
    to zone [ untrust untrust-4g ];
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool HTTPS {
    address 192.168.115.200/32 port 443;
    }
    rule-set HTTPS-to-VLB01 {
    from zone untrust;
    rule HTTPS-Match {
    match {
    source-address 0.0.0.0/0;
    destination-address PublicIP/32;
    destination-port 443;
    }
    then {
    destination-nat pool HTTPS;
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Production to-zone untrust {
    policy Production-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone Production {
    policy allow-https {
    match {
    source-address any;
    destination-address [ VLB01-VIP1 ];
    application [ junos-https HTTPS ];
    }
    then {
    permit;
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    default-policy {
    deny-all;
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/7.0;
    ge-0/0/6.0;
    vlan.125;
    }
    }
    security-zone untrust {
    screen untrust-screen;
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    tftp;
    dhcp;
    }
    }
    }
    }
    }
    security-zone Production {
    host-inbound-traffic {
    system-services {
    dns;
    }
    }
    interfaces {
    vlan.115 {
    host-inbound-traffic {
    system-services {
    dhcp;
    }
    }
    }
    }
    }
    security-zone untrust-4g {
    screen untrust-screen;
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    }
    }
    }
    }
    }
    }

    ------------------------------
    MIKE VOIGTS
    ------------------------------


  • 2.  RE: Issue with DNAT/Security Policy for port forwarding

     
    Posted 10-12-2021 05:55
    Is your public address in the same subnet as your SRX interface?

    If so, you also need to add proxy arp for that address onto the interface.
    set security nat proxy-arp interface ge-0/0/2.0 address x.x.x.x

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------