SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

  • 1.  Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

    Posted 08-23-2023 14:12

    FYI it was working before not sure what I did to break it. is simple I can not ping a from the outside (the internet) any of my Public IPs that is nated I can also ping the public interface IP but nothing that everyone outside is able to ping and view http from behind the SRX. noy from the server inside in the trust zone. Is there a reverse or loop back command I am missing please. 



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

    Posted 08-24-2023 10:56

    If I understand your layout correctly you have successfully setup nat and policy from internet sources to your public ip address nat to an internal server.  But access to the same public ip address to those servers from internal addresses does not work.

    For the internal traffic to work you need two policies nat and security.

    For the nat policy you likely can simply add the internal zone or zones as the source zone to the working nat policy from the internet zone to the servers.

    For the security policy you need to confirm there is and existing security policy or create a new one from the source zone of the clients to the destination zone of the internal address after nat of the servers covering icmp, http and any other desired protocols.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

    Posted 08-24-2023 16:41

    Yes my regular NATs from the internet to my internal servers are working it's just my servers to themselves on their external IPs that is not working. I have both the NAT Policy and The security Policy in pace (I Think) but not working. I read something on Juniper kb about hairpin not sure I did it right. My internal ip are 10.10.20.0/24 amd externa; 164.182.158.9/24

    Can you tell me what to fix here please

               rule-set hairpin {
                    from zone [ trust untrust ];
                    rule hairpin-destination {
                        match {
                            destination-address  164.182.158.0/24;
                        }
                        then {
                            destination-nat {
                                pool {
                                    server;
                                }
                            }
                        }
                    }
                }
            }

                rule-set hairpin {
                    from zone untrust;
                    to zone trust;
                    rule hairpin-source {
                        match {
                            source-address [ 164.182.158.0/24 ];
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 4.  RE: Can not ping external Nated IP from behind the SRX from the server itself in the trust zone

    Posted 08-28-2023 07:02

    The nat policy looks good.  

    The security policy is not correct.  The internal traffic will be from Trust to Trust zones.

    Source address is the scope of the devices trying to access the server NOT the server nat address.

    Destination address will be the nat pool address of the target server.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------