I was looking to compare the working sessions with interface nat versus the non-working ones from the nat pool.
Also can you confirm there are no other nat source rules in the rule group from vlan81 to internet.
Original Message:
Sent: 02-02-2021 15:53
From: bob
Subject: Route all VLAN traffic to specific public IP
Here are a couple in the 100.64.81.0/24
show security flow session source-prefix 100.64.81.0/24Session ID: 278, Policy name: vlan81/21, Timeout: 1758, Valid In: 100.64.81.6/44277 --> 74.125.195.188/5228;tcp, If: ge-0/0/14.81, Pkts: 863, Bytes: 47522 Out: 74.125.195.188/5228 --> 47.44.189.26/31068;tcp, If: ge-0/0/0.0, Pkts: 885, Bytes: 83404Session ID: 468, Policy name: vlan81/21, Timeout: 1776, Valid In: 100.64.81.6/50414 --> 74.125.28.188/5228;tcp, If: ge-0/0/14.81, Pkts: 1139, Bytes: 67525 Out: 74.125.28.188/5228 --> 47.44.189.26/12731;tcp, If: ge-0/0/0.0, Pkts: 881, Bytes: 57799Session ID: 1269, Policy name: vlan81/21, Timeout: 1686, Valid In: 100.64.81.5/51051 --> 67.195.231.27/443;tcp, If: ge-0/0/14.81, Pkts: 17, Bytes: 2410 Out: 67.195.231.27/443 --> 47.44.189.26/6676;tcp, If: ge-0/0/0.0, Pkts: 14, Bytes: 7374Session ID: 1386, Policy name: vlan81/21, Timeout: 1526, Valid In: 100.64.81.5/34317 --> 52.70.7.105/443;tcp, If: ge-0/0/14.81, Pkts: 324, Bytes: 144098 Out: 52.70.7.105/443 --> 47.44.189.26/5367;tcp, If: ge-0/0/0.0, Pkts: 198, Bytes: 29367Session ID: 2280, Policy name: vlan81/21, Timeout: 1790, Valid In: 100.64.81.5/49830 --> 142.250.11.120/443;tcp, If: ge-0/0/14.81, Pkts: 459, Bytes: 135085 Out: 142.250.11.120/443 --> 47.44.189.26/30481;tcp, If: ge-0/0/0.0, Pkts: 603, Bytes: 59814Session ID: 2630, Policy name: vlan81/21, Timeout: 1776, Valid In: 100.64.81.5/51129 --> 72.21.81.208/443;tcp, If: ge-0/0/14.81, Pkts: 21, Bytes: 2651 Out: 72.21.81.208/443 --> 47.44.189.26/12625;tcp, If: ge-0/0/0.0, Pkts: 18, Bytes: 9599Session ID: 2709, Policy name: vlan81/21, Timeout: 28, Valid In: 100.64.81.6/30006 --> 199.71.143.216/3478;udp, If: ge-0/0/14.81, Pkts: 10566, Bytes: 760756 Out: 199.71.143.216/3478 --> 47.44.189.26/24154;udp, If: ge-0/0/0.0, Pkts: 10527, Bytes: 884268
Original Message:
Sent: 01-27-2021 05:45
From: STEVE PULUKA
Subject: Route all VLAN traffic to specific public IP
Can you pull the session information with both rules so we can see the difference in action.
Use the ip address of your test system in source-prefix
show security flow session source-prefix 100.64.81.#/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 01-26-2021 18:04
From: bob
Subject: Route all VLAN traffic to specific public IP
I added these lines:
set security nat proxy-arp interface ge-0/0/0.0 address 1.2.3.3/32set security nat source pool vlan81 address 1.2.3.3/32set security nat source rule-set vlan81 rule vlan81 then source-nat pool vlan81
Now it doesn't seem to pass traffic. I had it working before where it just used the 1.2.3.2 public static IP configured on ge-0/0/0.0, but that didn't route me to 1.2.3.3.
Original Message:
Sent: 01-26-2021 17:42
From: STEVE PULUKA
Subject: Route all VLAN traffic to specific public IP
The nat interface option puts your traffic on the interface ip address. To have the traffic nat to 1.2.3.3 you need to create a pool and use that and add proxy arp for the address to your public interface.
set security nat source rule-set vlan81 rule vlan81 then source-nat VLAN81set security nat source pool VLAN81 1.2.3.3/32set proxy-arp interface ge-0/0/0.0 address 1.2.3.3
You should also restrict the source match condition to just the addresses that will come from vlan 81. This is how you make sure only those devices use the particular address.
Here is the general example document for all the nat scenarios.
https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 01-26-2021 14:03
From: bob
Subject: Route all VLAN traffic to specific public IP
I have a public static /29 available to untrust on ge-0/0/0 on an SRX-240. Currently, all outbound traffic is seen to be coming from 1.2.3.2/29. I have an internal VLAN on ge-0/0/14.81 where I want to route all inbound/outbound traffic through public static IP 1.2.3.3/29. So far I have:
set interfaces ge-0/0/14 vlan-taggingset interfaces ge-0/0/14 unit 81 description vlan81set interfaces ge-0/0/14 unit 81 vlan-id 81set interfaces ge-0/0/14 unit 81 family inet address 100.64.81.1/24set vlans vlan81 vlan-id 81set security zones security-zone vlan81 interfaces ge-0/0/14.81 host-inbound-traffic system-services pingset security nat source rule-set vlan81 from zone vlan81set security nat source rule-set vlan81 to zone Internetset security nat source rule-set vlan81 rule vlan81 match source-address 0.0.0.0/0set security nat source rule-set vlan81 rule vlan81 match destination-address 0.0.0.0/0set security nat source rule-set vlan81 rule vlan81 then source-nat interfaceset security policies from-zone vlan81 to-zone Internet policy vlan81 match source-address anyset security policies from-zone vlan81 to-zone Internet policy vlan81 match destination-address anyset security policies from-zone vlan81 to-zone Internet policy vlan81 match application anyset security policies from-zone vlan81 to-zone Internet policy vlan81 then permit
I believe I need to alter my NAT rules and maybe add a default route for all things coming from vlan81?