SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  [SRX1500] NAT configuration with 6 IP address on one interface

    Posted 03-09-2023 11:50

    Hi,

    Below is the architecture.

    I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.

    Private IP address is 172.3.3.0/24.

    IP 123.123.123.20 is used for VPN.

    Now I want to set up NAT and use 123.123.123.21 to access the internet.

    But not able to access the internet, what settings are missing?

    Configuration is as follows.

    set interfaces ge-0/0/0 description Public IP
    set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24

    //VPN(part of)
    set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
    set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
    set interfaces st0 unit 0 description "VPN"
    set interfaces st0 unit 0 family inet address 172.4.4.4/31

    //FW connect to SW(part of)
    set security zones security-zone INTERNAL host-inbound-traffic system-services all
    set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp

    //NAT config
    set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
    set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
    set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
    set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
    set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface

    //Policies
    set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
    set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
    set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
    set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit

    set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21



  • 2.  RE: [SRX1500] NAT configuration with 6 IP address on one interface

     
    Posted 03-09-2023 13:23

    Hello,

    Few things here:

    1. Are you able to reach internet from the SRX itself ?
    2. The config for NAT is fine except the fact that the device would use 123.123.123.20 for internet as well because, you are using source-nat interface. 

    Action plan:

    Setup sourcenat pool with 123.123.123.21 and configure proxy arp on ge-0/0/0.0

    Check if session is getting build, if not run the below command: ( this will show you why packet is dropped) 

    monitor security packet-drop source-prefix <ip address of test machine>

    Regards,



    ------------------------------
    Brijil R
    ------------------------------



  • 3.  RE: [SRX1500] NAT configuration with 6 IP address on one interface

    Posted 03-10-2023 05:07

    Hi Brijil,

    1. I can't reach internet from the SRX itself.
    2. Here is the configuration. After commit, it can't access to internet.
    [edit security nat]
    user@fw# show
    source {
        pool src-nat-pool-1 {
            address {
                123.123.123.21/32;
            }
        }
        rule-set ALLOW_INTERNET {
            from zone PRIVATE
            to zone PUBLIC
            rule ALLOW_INTERNET_IP {
                match {
                    source-address 172.3.3.0/24;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            src-nat-pool-1;
                        }
                    }
                }
            }
        }
    }
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                123.123.123.21/32;
            }
        }
    }

    3. I can't use monitor security packet-drop source-prefix

    user@fw> monitor security pa
                                                   ^
    syntax error, expecting <command>.


    ------------------------------
    Shawn Su
    ------------------------------



  • 4.  RE: [SRX1500] NAT configuration with 6 IP address on one interface

     
    Posted 03-10-2023 06:39

    Hello Shawn,

    If thats the case then it should be some routing issue from your ISP. 

    Check if your next hop is working. If not contact ISP. 

    Also, take a traceroute from SRX to any public DNS like 8.8.8.8 and provide the output so that it would be easy for the ISP to triage the issue. 

    Regards



    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: [SRX1500] NAT configuration with 6 IP address on one interface

    Posted 03-12-2023 15:00

    From the sample configuration it looks like your default route is pointed to one of your own 6 ip addresses instead of the ISP upstream gateway address

    set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21

    This should be the following assuming a /24 as an example with the ISP using the first address as their gateway device

    set routing-options static route 0.0.0.0/0 next-hop 123.123.123.1

    I also notice that you are using nat interface which would give your traffic a nat address of the 123.123.123.20 ip you assign to the interface and not your noted second address.  For that you would need to create a pool address for the 123.123.123.21/32 and assign that as the nat source and also add the proxy arp to the interface configuration.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: [SRX1500] NAT configuration with 6 IP address on one interface

    Posted 04-07-2023 07:41

    Hi Brijil and spuluka,

    Thanks both of you.
    Besides configure "nat pool", it also needs static route to configure "set routing-options static route 0.0.0.0/0 next-hop 123.123.123.1" to the gateway.
    And the reason for not being able to connect to the Internet is caused by firewall rules.



    ------------------------------
    Shawn Su
    ------------------------------