Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  NAT Problem

    Posted 01-05-2023 16:01
    I set up a  static NAT for my server 10.10.20.199 to XXX.182.158.199 and have a security policy to allow untrust port 80 to that server behind the  SRX345. But the server does not see the internet and the internet does not see the server. I am Used to the ISG-2000 so J-Web is new to me.

    set security nat source rule-set nsw_srcnat from zone trust
    set security nat source rule-set nsw_srcnat to zone untrust
    set security nat source rule-set nsw_srcnat rule nsw-src-interface match source-address 0.0.0.0/0
    set security nat source rule-set nsw_srcnat rule nsw-src-interface match destination-address 0.0.0.0/0
    set security nat source rule-set nsw_srcnat rule nsw-src-interface then source-nat interface
    set security nat destination pool Win-2019 address 10.10.20.199/32
    set security nat destination pool Win-2019 address port 80
    set security nat static rule-set Servers from zone untrust
    set security nat static rule-set Servers rule MIP match destination-address XXX.182.158.199/32
    set security nat static rule-set Servers rule MIP then static-nat prefix 10.10.20.199/32
    set security nat proxy-arp interface ge-0/0/0.0 address XXX.182.158.199/32
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone trust to-zone untrust policy our-internet-policy match source-address any
    set security policies from-zone trust to-zone untrust policy our-internet-policy match destination-address any
    set security policies from-zone trust to-zone untrust policy our-internet-policy match application any
    set security policies from-zone trust to-zone untrust policy our-internet-policy then permit
    set security policies from-zone untrust to-zone trust policy Test-Trusted match source-address any
    set security policies from-zone untrust to-zone trust policy Test-Trusted match destination-address 10.10.20.199
    set security policies from-zone untrust to-zone trust policy Test-Trusted match application junos-http
    set security policies from-zone untrust to-zone trust policy Test-Trusted match application RDP
    set security policies from-zone untrust to-zone trust policy Test-Trusted match application junos-dns-udp
    set security policies from-zone untrust to-zone trust policy Test-Trusted match application junos-icmp-ping
    set security policies from-zone untrust to-zone trust policy Test-Trusted match application junos-ping
    set security policies from-zone untrust to-zone trust policy Test-Trusted match source-identity any
    set security policies from-zone untrust to-zone trust policy Test-Trusted match dynamic-application any
    set security policies from-zone untrust to-zone trust policy Test-Trusted then permit
    set security policies from-zone untrust to-zone trust policy our-deny-policy match source-address any
    set security policies from-zone untrust to-zone trust policy our-deny-policy match destination-address any
    set security policies from-zone untrust to-zone trust policy our-deny-policy match application any
    set security policies from-zone untrust to-zone trust policy our-deny-policy then deny
    set security policies pre-id-default-policy then log session-close
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic system-services ssh
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.0
    set security zones security-zone trust interfaces ge-0/0/7.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set protocols rstp interface all
    set routing-options static route 0.0.0.0/0 next-hop XXX.182.144.1


    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: NAT Problem

    Posted 01-05-2023 20:33
    I fixed the issue


    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 3.  RE: NAT Problem

    Posted 01-09-2023 09:37
    I started moving my sites to the new SRX from my older Juniper Netscreen and noticed that on one of my web sites visitors' IPs are showing up with my firewall trust interface  IP 10.10.20.254 which is a high security risk and also false all the information.
    So I thought I misconfigured the Security policy when I put the inside IP of the destination server rather than the outside Nated IP.  I reverse that in the Security Policy and after that all stopped working so. All 15 of my Nated servers where no longer visible to the internet. All my Static NATs stopped working, No longer visible from the internet.

    When I go to an inside server behind the SRX and lookup it's IP it shows me the corrected nated outside IP . I can go out but nothing can get back in port 80 and ping. When I check the Security policies they did not changes since they were working fine I even disabled them and created a new on from untrust to trust and selected my server as the destination and allowed all services to test.

    I rolled back my config to one From few hours before any of my changes but nothing all the Nats are there and their ARP proxy IPs are there but not traffic is going thru the SRX.

    I can ping out of the SRX Wan interface and I can get to login screen from the web. Wan interface ge-0/0/0.0 but nothing else.  I am at a loss. I even rebooted the SRX345 in vein.

    I have been down for 4 hours and do not know how to get this back up. Please help me.



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------



  • 4.  RE: NAT Problem

    Posted 01-09-2023 09:38
    Why when I look at my web server logs I see the firewall Lan (Trust) IP instead of the users IP???
    2023-01-07 12:19:22 10.10.20.199 GET /Portals/0/Images/laptop_bgd.jpg - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36 http://XXX.182.158.199/ 200 0 0 148

    Static Nat XXX.182.158.199 --> 10.10.20.199 
    Proxy Arp Setup and Security Policy Allow Http

    ------------------------------
    JAY ECHOUAFNI
    ------------------------------