SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  DNAT for port forwarding multiple devices

    Posted 20 days ago

    Good Afternoon!!

    In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

    This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

    I've used the Juniper KB as my base.  Destination NAT

    However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

    set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

    As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

    That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------


  • 2.  RE: DNAT for port forwarding multiple devices

    Posted 20 days ago

    Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

    For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

    Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: DNAT for port forwarding multiple devices

    Posted 13 days ago
    Edited by NICHOLAS MARSZALKOWSKI 13 days ago

    "Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

    Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

    set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
    set security nat destination pool dst-nat-pool-1 address port 443

    set security nat destination pool switch address 172.18.162.140/32
    set security nat destination pool switch address port 443

    set security nat destination rule-set rs1 from zone WAN2-Static
    set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
    set security nat destination rule-set rs1 rule r1 match destination-port 4443
    set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
    set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
    set security nat destination rule-set rs1 rule r2 match destination-port 11443
    set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
    set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

    set security address-book global address Printer1 172.18.160.85/32
    set security address-book global address switch 172.18.162.140/32
    set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
    set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
    set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
    set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
    set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 4.  RE: DNAT for port forwarding multiple devices

    Posted 13 days ago

    If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

    The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: DNAT for port forwarding multiple devices

    Posted 10 days ago

    Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

    However, I started using the inside IP because when i use the public IP, I get this error.

    [edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

    Penny for your thoughts?



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 6.  RE: DNAT for port forwarding multiple devices

    Posted 10 days ago

    Proxy arp is not needed for the ip address assigned to the interface itself.  That will arp as part of the normal configuration.

    Proxy arp is for ip addresses within the same subnet of the interface but not actually configured on the interface.  Meaning the ip on the interface will arp as a proxy for the empty not configured ip address.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: DNAT for port forwarding multiple devices

    Posted 9 days ago

    We only own the 1 public IP in most situations.  If I proxy arp for another interface in the same subnet as our WAN interface IP, it would not be something we own.

    What would you recommend as a configuration change to allow access to more than one inside device?



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 8.  RE: DNAT for port forwarding multiple devices

    Posted 9 days ago

    In the application where you configure printer addresses to print to, can you specify a port number, or just an IP address?

    If you can specify port numbers, then you can have different NAT rules matching the same public IP, but different port numbers and direct traffic to different printers based on the port number.

    If you cannot specify port numbers, then you're stuck to one printer per public IP address. The only workaround I can think of is if the application that uses the printers is also behind a VPN-capable device (or at least tunnel-capable device). If it is, then you can set up a VPN or GRE tunnel between the two devices, and then you'll be able to use private IP addresses.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 9.  RE: DNAT for port forwarding multiple devices

    Posted 8 days ago

    Hi Nikolay.  We're not using an application.  Just the web GUI of the printer over HTTPS.

    If i'm understanding you correctly, we can't DNAT to multiple devices behind the firewall unless we own multiple public IP addresses. 

    Is that accurate?



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 10.  RE: DNAT for port forwarding multiple devices

    Posted 8 days ago

    Ok, you know what, yes, okay, I'm sorry I didn't pay enough attention and I missed it, but your configuration from 4 days ago is right, except as Steve said you really don't need the proxy-arp at all if 12.12.12.12 is the address of the outside interface already.

    At this point it's hard to tell why you can't access the web interface on the switch. Hopefully it's just disabled (good, web interfaces are mostly trouble these days).  Use the monitor security flow commands to perform a trace to make sure you get the traffic externally and the addresses get translated as expected and the correct policy matches.



    ------------------------------
    Nikolay Semov
    ------------------------------