I should have asked the following questions...
You won't need Proxy-arp for addresses you have configured on interfaces and you will not want to ARP the gateway IP... this would be bad! lol
Original Message:
Sent: 09-23-2023 22:09
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
There were error(s) delivering the configuration.
Error(s):
'address 164.182.158.1/32'
1) Proxy ARP IP address range [164.182.158.1 164.182.158.254] overlaps with interface IP address range [164.182.158.254 164.182.158.254] defined on interface 'ge-0/0/0.0'
2) configuration check-out failed
Original Message:
Sent: 9/22/2023 10:23:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
HI Jay,
As the Security Policy is processed after NAT, your source and destination addresses will both be the internal IPs.
I have written an example out what your configuration for NAT and security policy would look like. (sorry if there's a typo, was written by hand)
Have a look over this and compare to what you have configured so far.
security { nat { source { rule-set hairpin { from zone trust; to zone trust; rule hairpin-snat { match { source-address 10.10.20.0/24; } then { source-nat interface; } } } } destination { pool server-pool-internal { address 10.10.20.0/24; } rule-set hairpin { from zone trust; rule hairpin-dnat { match { destination-address 164.182.158.0/24 } then { destination-nat { pool { server; } } } } } } proxy-arp { interface ge-0/0/0.0 { address { 164.182.158.1/32 to 164.182.158.254/32; } } } } policies { from-zone trust to-zone trust { policy our-hairpin-policy { match { source-address Srv-Mail-105; destination-address Srv-Mail-105; application any; } then { permit; } } } }}
------------------------------
GAVIN WHITE
Original Message:
Sent: 09-22-2023 20:28
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
I did create an address book entry for both internal and external IP but when I try to ping the external ip from the the server it does not work I must be missing somthing I reverse the addresses just in case and that also did not work
Srv-Mail-158.245 0 External IP
Srv-Mail-105 internal IP
policies {
from-zone trust to-zone trust {
policy our-hairpin-policy {
match {
source-address Srv-Mail-158.245;
destination-address Srv-Mail-105;
application any;
}
then {
permit;
}
}
And this did not work either
policies {
from-zone trust to-zone trust {
policy our-hairpin-policy {
match {
source-address Srv-Mail-105;
destination-address Srv-Mail-158.245;
application any;
}
then {
permit;
}
}
Original Message:
Sent: 9/22/2023 8:08:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
Apologies for the double post. I got no confirmation from my first post.
The 'any any' rule you mentioned that you have will be as effective as the more specific rule I provided as an example.
The commit issue is because these source-address and destination-address fields have to be address names. Referring to your address book entries you configure in [edit security address-book]. I just simplified it for conceptual purposes.
Here is an example of the Hairpinning configuration rules you will need to apply.
https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning?language=en_US
------------------------------
GAVIN WHITE
Original Message:
Sent: 09-22-2023 19:54
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
I can not commit I get this
Warning(s):
'policy our-hairpin-policy,policy our-hairpin-policy'
1) Source address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.
2) Destination address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.
Original Message:
Sent: 9/22/2023 4:13:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
Hi Jay,
Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.
Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.
The policy will look something like this...
from-zone trust to-zone trust {
policy our-hairpin-policy {
match {
source-address 10.10.20.0/24 ;
destination-address 10.10.20.0/24 ;
application any;
}
then {
permit;
}
}
}
You can use any any here but the most important is the from-zone trust to-zone trust configuration.
------------------------------
GAVIN WHITE
Original Message:
Sent: 09-16-2023 19:15
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.
------------------------------
JAY ECHOUAFNI
Original Message:
Sent: 08-28-2023 07:02
From: spuluka
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
The nat policy looks good.
The security policy is not correct. The internal traffic will be from Trust to Trust zones.
Source address is the scope of the devices trying to access the server NOT the server nat address.
Destination address will be the nat pool address of the target server.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-24-2023 12:17
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24
Can you tell me what to fix here please
rule-set hairpin {
from zone [ trust untrust ];
rule hairpin-destination {
match {
destination-address 164.182.158.0/24;
}
then {
destination-nat {
pool {
server;
}
}
}
}
}
}
rule-set hairpin {
from zone untrust;
to zone trust;
rule hairpin-source {
match {
source-address [ 164.182.158.0/24 ];
}
then {
source-nat {
interface;
}
}
}
}
}
------------------------------
JAY ECHOUAFNI
Original Message:
Sent: 08-24-2023 10:56
From: spuluka
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server. But access to the same public ip address to those servers from internal addresses does not work.
For the internal traffic to work you need two policies nat and security.
For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.
For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-23-2023 12:22
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone
FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please.
------------------------------
JAY ECHOUAFNI
------------------------------