Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Destination NAT issue

    Posted 08-23-2021 09:50
    Hi, 

    Fairly new to Juniper but I'm having an issue with destination NAT. I have read all the different forums and followed along with no success, a few I read said I needed proxy ARP but when I try to add this I get an error 

    1) Proxy ARP IP address range [207.xxx.xxx.70 207.xxx.xxx.70] overlaps with interface IP address range [207.xxx.xxx.70 207.xxx.xxx.70] defined on interface 'ge-0/0/0.0'


    Any help is massively appreciated. I am waiting for our reseller to activate our support contract with Juniper so I can get the Jtac team to look but that's going to take a few days at least and I need to get it up and running ASAP.

    Set UP:

    ge-0/0/0 - External interface -  207.XXX.XXX.70/24
    ge-0/0/1- Internal interface - 10.0.1.1/24

    Server trying to access 10.0.1.104:443 from 207.XXX.XXX.70:8443

    Config ---

    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool Web_Pool {
    address 10.0.1.104/32 port 443;
    }
    rule-set Web_RS {
    from zone Internet;
    rule Web_RULE {
    match {
    source-address 0.0.0.0/0;
    destination-address 207.xxx.xxx.70/32;
    destination-port {
    8443;
    }
    }
    then {
    destination-nat {
    pool {
    Web_Pool;
    }
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internet {
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone Internal {
    policy Web_Traffic {
    match {
    source-address any;
    destination-address Web;
    application any;
    dynamic-application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone Internal {
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    dhcp;
    }
    }
    }
    }
    }
    security-zone Internet {
    interfaces {
    ge-0/0/0.0;
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 207.xxx.xxx.70/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 10.0.1.1/24;
    }

    ------------------------------
    GRAEME MCKAY
    ------------------------------


  • 2.  RE: Destination NAT issue

    Posted 08-24-2021 09:30
    Hello,

    As far as I understood the configuration is as following:

    set security nat destination pool Web_Pool address 10.0.1.104/32
    set security nat destination pool Web_Pool address port 443

    set security nat destination rule-set Web_RS from zone untrust
    set security nat destination rule-set Web_RS rule Web_RULE match destination-address 207.XXX.XXX.70/24
    set security nat destination rule-set Web_RS rule Web_RULE match destination-port 8443
    set security nat destination rule-set Web_RS rule Web_RULE then destination-nat pool Web_Pool

    set security address-book global address srv1 10.0.1.104/32

    set security policies from-zone untrust to-zone trust policy server-access match source-address any
    set security policies from-zone untrust to-zone trust policy server-access match destination-address srv1
    set security policies from-zone untrust to-zone trust policy server-access match application any
    set security policies from-zone untrust to-zone trust policy server-access then permit

    do you have logs?
    try to see the traffic flows on interface ge-0/0/0 issuing the command "monitor traffic interface ge-0/0/0" and "monitor interface ge-0/0/0";
    you will see whether nat sessions are established or not;

    If you're using SRX firewall, then usually there is an access to GUI, through which you can call for packet tracer and see if everything is OK with configuration.

    Then if it's possible please avoid combinations of upper and lower case letters in namings because it's case sensitive.