SRX

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Hi Jay,

Reiterating on what Steve was saying. You need to have a security policy to allow traffic from your servers, back to your servers.

Security Policy is evaluated after NAT operations so you must use the ultimate source and destination addresses.

If this is the "trust" zone it will look like this...
from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Hi Jay,

Reiterating on what Steve was saying. You need to have a security policy to allow traffic from your servers, back to your servers.

Security Policy is evaluated after NAT operations so you must use the ultimate source and destination addresses.

If this is the "trust" zone it will look like this...
from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Apologies for the double post. I got no confirmation from my first post. 

The 'any any' rule you mentioned that you have will be as effective as the more specific rule I provided as an example. 
The commit issue is because these source-address and destination-address fields have to be address names. Referring to your address book entries you configure in [edit security address-book]. I just simplified it for conceptual purposes.

Here is an example of the Hairpinning configuration rules you will need to apply.
https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning?language=en_US

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

Apologies for the double post. I got no confirmation from my first post. 

The 'any any' rule you mentioned that you have will be as effective as the more specific rule I provided as an example. 
The commit issue is because these source-address and destination-address fields have to be address names. Referring to your address book entries you configure in [edit security address-book]. I just simplified it for conceptual purposes.

Here is an example of the Hairpinning configuration rules you will need to apply.
https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning?language=en_US

------------------------------
GAVIN WHITE

Original Message:
Sent: 09-22-2023 19:54
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

I can not commit I get this

Warning(s):
'policy our-hairpin-policy,policy our-hairpin-policy'

1) Source address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.
2) Destination address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.


Original Message:
Sent: 9/22/2023 4:13:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

HI Jay,

As the Security Policy is processed after NAT, your source and destination addresses will both be the internal IPs.

I have written an example out what your configuration for NAT and security policy would look like. (sorry if there's a typo, was written by hand)
Have a look over this and compare to what you have configured so far.

security {
    nat {
        source {
            rule-set hairpin {
                from zone trust;
                to zone trust;
                rule hairpin-snat {
                    match {
                        source-address 10.10.20.0/24;
                    }
                    then {
                        source-nat interface;
                    }
                }
            }
        }
        destination {
            pool server-pool-internal {
                address 10.10.20.0/24;
            }
            rule-set hairpin {
                from zone trust;
                rule hairpin-dnat {
                    match {
                        destination-address 164.182.158.0/24
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    164.182.158.1/32 to 164.182.158.254/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address Srv-Mail-105;
                    destination-address Srv-Mail-105;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Apologies for the double post. I got no confirmation from my first post. 

The 'any any' rule you mentioned that you have will be as effective as the more specific rule I provided as an example. 
The commit issue is because these source-address and destination-address fields have to be address names. Referring to your address book entries you configure in [edit security address-book]. I just simplified it for conceptual purposes.

Here is an example of the Hairpinning configuration rules you will need to apply.
https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning?language=en_US

------------------------------
GAVIN WHITE

Original Message:
Sent: 09-22-2023 19:54
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

I can not commit I get this

Warning(s):
'policy our-hairpin-policy,policy our-hairpin-policy'

1) Source address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.
2) Destination address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.


Original Message:
Sent: 9/22/2023 4:13:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 

HI Jay,

As the Security Policy is processed after NAT, your source and destination addresses will both be the internal IPs.

I have written an example out what your configuration for NAT and security policy would look like. (sorry if there's a typo, was written by hand)
Have a look over this and compare to what you have configured so far.

security {    nat {        source {            rule-set hairpin {                from zone trust;                to zone trust;                rule hairpin-snat {                    match {                        source-address 10.10.20.0/24;                    }                    then {                        source-nat interface;                    }                }            }        }        destination {            pool server-pool-internal {                address 10.10.20.0/24;            }            rule-set hairpin {                from zone trust;                rule hairpin-dnat {                    match {                        destination-address 164.182.158.0/24                    }                    then {                        destination-nat {                            pool {                                server;                            }                        }                    }                }            }        }        proxy-arp {            interface ge-0/0/0.0 {                address {                    164.182.158.1/32 to 164.182.158.254/32;                }            }        }    }    policies {        from-zone trust to-zone trust {            policy our-hairpin-policy {                match {                    source-address Srv-Mail-105;                    destination-address Srv-Mail-105;                    application any;                }                then {                    permit;                }            }        }    }}

Apologies for the double post. I got no confirmation from my first post. 

The 'any any' rule you mentioned that you have will be as effective as the more specific rule I provided as an example. 
The commit issue is because these source-address and destination-address fields have to be address names. Referring to your address book entries you configure in [edit security address-book]. I just simplified it for conceptual purposes.

Here is an example of the Hairpinning configuration rules you will need to apply.
https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning?language=en_US

------------------------------
GAVIN WHITE

Original Message:
Sent: 09-22-2023 19:54
From: JAY ECHOUAFNI
Subject: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

I can not commit I get this

Warning(s):
'policy our-hairpin-policy,policy our-hairpin-policy'

1) Source address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.
2) Destination address or address_set (10.10.20.0/24) not found. Please check if it is a SecProfiling Feed.


Original Message:
Sent: 9/22/2023 4:13:00 PM
From: GAVIN WHITE
Subject: RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

Hi Jay,

Just reiterating Steve's note here, you will need to add a security policy to allow traffic from your servers back to your servers.

Security Policy is evaluated after NAT Operations, to you will need to use the ultimate Source and Destination Addresses here.

The policy will look something like this...

from-zone trust to-zone trust {
            policy our-hairpin-policy {
                match {
                    source-address 10.10.20.0/24 ;
                    destination-address 10.10.20.0/24 ;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

You can use any any here but the most important is the from-zone trust to-zone trust configuration.

It has been weeks and did not get any help on this would anyone take a minute and help me I am really stuck and am hoping that this forum can help.

The nat policy looks good.  

The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

Source address is the scope of the devices trying to access the server NOT the server nat address.

Destination address will be the nat pool address of the target server.

Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

Can you tell me what to fix here please

           rule-set hairpin {
                from zone [ trust untrust ];
                rule hairpin-destination {
                    match {
                        destination-address  164.182.158.0/24;
                    }
                    then {
                        destination-nat {
                            pool {
                                server;
                            }
                        }
                    }
                }
            }
        }

            rule-set hairpin {
                from zone untrust;
                to zone trust;
                rule hairpin-source {
                    match {
                        source-address [ 164.182.158.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

For the internal traffic to work you need two policies nat and security.

For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.

FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please.