SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NAT on multiwan not working

    Posted 02-28-2024 04:52

    Good day,

    I have a SRX240 with 2 isp's

    the primary use a PPoE pp0.0 and work as expected

    The secondary use ethernet with vlan tagging.

    I switched some of the ipsec tunnels to this new connection, and works fine.

    i also want to use destination nat. but this isn't working. 

    ge-0/0/15 {
    vlan-tagging;
    unit 9 {
        vlan-id 9;
        family inet {
            address 1.2.3.4/28;
        }
    }
}

    The Routing instance

    fiber {
    instance-type virtual-router;
    interface ge-0/0/15.9;
    routing-options {
        interface-routes {
            rib-group inet inet-group;
        }
        static {
            route 0.0.0.0/0 next-hop 1.2.3.5
        }
    }
}

    Routing options

    interface-routes {
    rib-group inet inet-group;
}
static {
    route 0.0.0.0/0 next-hop pp0.0;
}
rib-groups {
    inet-group {
        import-rib [ inet.0 fiber.inet.0 ];
    }
}

    Destenation nat

    rule-set untrust {
    from zone untrust;
    rule myserver {
        match {
            destination-address 0.0.0.0/0;
            destination-port 443;
        }
        then {
            destination-nat {
                pool {
                    myserver;
                }
            }
        }
    }
}
rule-set untrust-fiber {
    from zone untrust-fiber;
    rule myserver-fiber {
        match {
            destination-address 0.0.0.0/0;
            destination-port 443;
        }
        then {
            destination-nat {
                pool {
                    myserver;
                }
            }
        }
    }
}

    The security policies are identical for untrust and untrust-fiber

    If i connect to the public ip of pp0.0 the webpage shows.

    if i connect to the public ip of ge-0/0/15.9 there is no response.

    I know the connection is working, since the ipsec is working fine.

    what am i missing?



  • 2.  RE: NAT on multiwan not working

    Posted 02-28-2024 14:02

    Is there also a inbound security policy for the new untrust-fiber zone to permit the traffic matching  the original untrust zone policy?



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 3.  RE: NAT on multiwan not working

    Posted 02-28-2024 15:47

    Good day SPuluka, 

    Thanks (again 😏) for your reply. 

    Yes, it is an exact copy of the "untrust" policy.  And a very simple one. 

    Just to be sure, i checked it, output is bellow. 

    show security policies from-zone untrust-fiber
From zone: untrust-fiber, To zone: trust
  Policy: myserver, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: myserver
    Applications: junos-https
    Action: permit

    Kind regards, 

    Mark


    Original Message


  • 4.  RE: NAT on multiwan not working

    Posted 02-29-2024 09:40

    Can you check the connection status during a test.  This will show the security policy and nat hit and packet counts

    show security flow session destination-port 443

    I'm wondering if the return path is not working because of the virtual router.  The response packet would go out the main ISP instead of back to the VR.

    You might need to add source nat to the VR interface so the response from the server goes back to the VR instead of out the main ISP.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 5.  RE: NAT on multiwan not working

    Posted 02-29-2024 10:15

    When i do:

    show security flow session destination-port 443 source-prefix [client-pub-ip]/32

    I can see results for the pp0.0  ip, 

    When waiting some time. the list is empty again,

    When trying to use the fiber ip, there is no result.

    My nat looks like this.

    [edit security nat source]
mark@xxxx-srx240# show 
rule-set trust-to-untrust {
    from zone [ dmz guest iot trust ];
    to zone untrust;
    rule source-nat-rule {
        match {
            source-address 172.16.0.0/12;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}
rule-set trust-to-untrust-fiber {
    from zone [ dmz guest iot trust ];
    to zone untrust-fiber;
    rule source-nat-rule-fiber {
        match {
            source-address 172.16.0.0/12;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

    Original Message


  • 6.  RE: NAT on multiwan not working

    Posted 02-29-2024 18:39

    @Koos147 Check the fiber routing table to make sure it has the correct route to your server.  Out of curiosity, what JunOS version are you running. Does show monitor security flow give you any output?

    @spuluka Reverse route should be looked up in the routing table of the incoming interface, and the response from the server should match an existing session (unless the firewall is in packet mode for some reason), so I'm thinking source NAT shouldn't really be necessary.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 7.  RE: NAT on multiwan not working

    Posted 03-01-2024 06:54

    Hi Nikolay,

    Just noticed that the ipsec tunnel was outbound.

    Temporary enabled ssh on the interface and was able to login remotely 

    show security flow session source-prefix [remoteip]/32 destination-port 22
Session ID: 980, Policy name: self-traffic-policy/1, Timeout: 18, Valid
  In: [remoteip]/26871 --> [local-fiber-ip]/22;tcp, If: ge-0/0/15..9, Pkts: 2, Bytes: 104
  Out: [local-fiber-ip]/22 --> [remoteip]/26871;tcp, If: .local..4, Pkts: 0, Bytes: 0
Total sessions: 1

    the 0 bytes was due to (the only) firewall filter for allowing ssh from a prefix list. after adding my ip the ssh actually worked ;)

    when checking port 443 there is no result.
    "Does show monitor security flow give you any output?"

    Depends on what you call output.

     show monitor security flow
Monitor security flow session status: Inactive
Monitor security flow trace file: None
Monitor security flow filters: 0

    "unless the firewall is in packet mode for some reason"

    No

     show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware

    Original Message


  • 8.  RE: NAT on multiwan not working

    Posted 03-01-2024 20:45

    @Koos147 You can set up a flow monitor to see exactly how the connection to your server gets eaten. It would be something like this:

    monitor security flow filter filter-name-here source-prefix EXT_PUBLIC_IP_FROM_WHERE_YOU_TEST/32 destination-port 443
    monitor security flow file flow-trace
    monitor security flow start
    --- at this point do one test using non-working address and, if you like, one
     --- using the working address for comparison, though watch out for noise in the log
    monitor security flow stop
    show log flow-trace

    This should show you exactly what's happening with the traffic and where it gets lost. Reference: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-flow-session-and-error-handling.html

    @spuluka I use a multi-VR configuration and that's not how routing behaves. On the first packet (from untrust-fiber to trust) the reverse route is looked up in the route table of the incoming interface (fiber). Then the session gets installed with the computed interfaces and routes. The response traffic (trust to untrust-fiber) matches the installed session and traffic gets sent out according to the interfaces and routes stored in the session without further route lookups. At least this is the behavior I get out of the box with multiple virtual-router routing instances, without source NAT (only destination NAT).

    I do, however, use instance-import and instance-export rather than RIB groups to make sure the fiber routing instance has a route to the internal server address.  The rib-group syntax always trips me up so I can't evaluate it by just reading the configuration provided in this thread.

    From what I can see, in this case I strongly suspect the fiber routing instance is missing a route to the server address.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 9.  RE: NAT on multiwan not working

    Posted 03-01-2024 15:18

    The ip address in show security slow will need to be the after nat inside address to show the sessions.

    The routing local routing is by the route table in each virtual router.  There is no routing override from security policies.

    So the server responding to the external request from ISP 2 will respond via ISP 1 in the default route table due to the default route and public address.  

    If you want to allow this non-symetrical response you could just put the new interface in the VR into the same untrust zone as your original setup.  Then all the original policies will apply and since they have the same zone the response out ISP 1 would match the session too.

    The other alternative I mentioned should also work with the routing leaking you seem to have in place.  For the new zone and ISP add a source nat to interface address policy in addition to the destination nat.  Then the return packet from the server will route back to the VR and out the new ISP matching the session.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 10.  RE: NAT on multiwan not working

    Posted 03-04-2024 09:11

    Guys

    Thanks for all the support.

    during the test from Nikolay the site was working.

    Part of the problem was outside of the context.

    The location is a test site. and the production device is an srx320 with a routed subnet assigned to a vlan.

    Here was only a policy to allow outbound traffic. After adding one for inbound the SSH was working, but still no server.

    Did some more testing, wasn't working.

    After a weekend rest, the connection was working. 

    So no idea why it didn't work at first. (show | compare rollback shows only changes to the ip list for ssh and ping to the system services)

    But anyway, I want to thank you, I learned a lot in troubleshooting. 


    Original Message