SRX

Hi,

Below is the architecture.

I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.

Private IP address is 172.3.3.0/24.

IP 123.123.123.20 is used for VPN.

Now I want to set up NAT and use 123.123.123.21 to access the internet.

But not able to access the internet, what settings are missing?

Configuration is as follows.

set interfaces ge-0/0/0 description Public IP
set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24

//VPN(part of)
set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set interfaces st0 unit 0 description "VPN"
set interfaces st0 unit 0 family inet address 172.4.4.4/31

//FW connect to SW(part of)
set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp

//NAT config
set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface

//Policies
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit

set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21

Hello,

Few things here:

1. Are you able to reach internet from the SRX itself ?
2. The config for NAT is fine except the fact that the device would use 123.123.123.20 for internet as well because, you are using source-nat interface. 

Action plan:

Setup sourcenat pool with 123.123.123.21 and configure proxy arp on ge-0/0/0.0

Check if session is getting build, if not run the below command: ( this will show you why packet is dropped) 

monitor security packet-drop source-prefix <ip address of test machine>

Regards,

Hi,

Below is the architecture.

I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.

Private IP address is 172.3.3.0/24.

IP 123.123.123.20 is used for VPN.

Now I want to set up NAT and use 123.123.123.21 to access the internet.

But not able to access the internet, what settings are missing?

Configuration is as follows.

set interfaces ge-0/0/0 description Public IP
set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24

//VPN(part of)
set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set interfaces st0 unit 0 description "VPN"
set interfaces st0 unit 0 family inet address 172.4.4.4/31

//FW connect to SW(part of)
set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp

//NAT config
set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface

//Policies
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit

set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21

Hi Brijil,

1. I can't reach internet from the SRX itself.
2. Here is the configuration. After commit, it can't access to internet.

[edit security nat]user@fw# showsource {    pool src-nat-pool-1 {        address {            123.123.123.21/32;        }    }    rule-set ALLOW_INTERNET {        from zone PRIVATE        to zone PUBLIC        rule ALLOW_INTERNET_IP {            match {                source-address 172.3.3.0/24;                destination-address 0.0.0.0/0;            }            then {                source-nat {                    pool {                        src-nat-pool-1;                    }                }            }        }    }}proxy-arp {    interface ge-0/0/0.0 {        address {            123.123.123.21/32;        }    }}

3. I can't use monitor security packet-drop source-prefix

user@fw> monitor security pa                                               ^syntax error, expecting <command>.

Hello,

Few things here:

1. Are you able to reach internet from the SRX itself ?
2. The config for NAT is fine except the fact that the device would use 123.123.123.20 for internet as well because, you are using source-nat interface. 

Action plan:

Setup sourcenat pool with 123.123.123.21 and configure proxy arp on ge-0/0/0.0

Check if session is getting build, if not run the below command: ( this will show you why packet is dropped) 

monitor security packet-drop source-prefix <ip address of test machine>

Regards,

Hi,

Below is the architecture.

I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.

Private IP address is 172.3.3.0/24.

IP 123.123.123.20 is used for VPN.

Now I want to set up NAT and use 123.123.123.21 to access the internet.

But not able to access the internet, what settings are missing?

Configuration is as follows.

set interfaces ge-0/0/0 description Public IP
set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24

//VPN(part of)
set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set interfaces st0 unit 0 description "VPN"
set interfaces st0 unit 0 family inet address 172.4.4.4/31

//FW connect to SW(part of)
set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp

//NAT config
set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface

//Policies
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit

set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21

Hi,

Below is the architecture.

I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.

Private IP address is 172.3.3.0/24.

IP 123.123.123.20 is used for VPN.

Now I want to set up NAT and use 123.123.123.21 to access the internet.

But not able to access the internet, what settings are missing?

Configuration is as follows.

set interfaces ge-0/0/0 description Public IP
set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24

//VPN(part of)
set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set interfaces st0 unit 0 description "VPN"
set interfaces st0 unit 0 family inet address 172.4.4.4/31

//FW connect to SW(part of)
set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp

//NAT config
set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface

//Policies
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit

set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21