Check if your next hop is working. If not contact ISP.
Also, take a traceroute from SRX to any public DNS like 8.8.8.8 and provide the output so that it would be easy for the ISP to triage the issue.
Original Message:
Sent: 03-09-2023 22:22
From: Shawn Su
Subject: [SRX1500] NAT configuration with 6 IP address on one interface
Hi Brijil,
- I can't reach internet from the SRX itself.
- Here is the configuration. After commit, it can't access to internet.
[edit security nat]user@fw# showsource { pool src-nat-pool-1 { address { 123.123.123.21/32; } } rule-set ALLOW_INTERNET { from zone PRIVATE to zone PUBLIC rule ALLOW_INTERNET_IP { match { source-address 172.3.3.0/24; destination-address 0.0.0.0/0; } then { source-nat { pool { src-nat-pool-1; } } } } }}proxy-arp { interface ge-0/0/0.0 { address { 123.123.123.21/32; } }}
3. I can't use monitor security packet-drop source-prefix
user@fw> monitor security pa ^syntax error, expecting <command>.
------------------------------
Shawn Su
Original Message:
Sent: 03-09-2023 13:22
From: Brijil
Subject: [SRX1500] NAT configuration with 6 IP address on one interface
Hello,
Few things here:
1. Are you able to reach internet from the SRX itself ?
2. The config for NAT is fine except the fact that the device would use 123.123.123.20 for internet as well because, you are using source-nat interface.
Action plan:
Setup sourcenat pool with 123.123.123.21 and configure proxy arp on ge-0/0/0.0
Check if session is getting build, if not run the below command: ( this will show you why packet is dropped)
monitor security packet-drop source-prefix <ip address of test machine>
Regards,
------------------------------
Brijil R
Original Message:
Sent: 03-09-2023 11:30
From: Shawn Su
Subject: [SRX1500] NAT configuration with 6 IP address on one interface
Hi,
Below is the architecture.
I have a cable with 6 Public IP addresses from 123.123.123.20 to 123.123.123.25.
Private IP address is 172.3.3.0/24.
IP 123.123.123.20 is used for VPN.
Now I want to set up NAT and use 123.123.123.21 to access the internet.
But not able to access the internet, what settings are missing?
Configuration is as follows.
set interfaces ge-0/0/0 description Public IP
set interfaces ge-0/0/0 unit 0 family inet address 123.123.123.20/24
//VPN(part of)
set security zones security-zone PUBLIC interfaces st0.0 host-inbound-traffic protocols ospf
set security zones security-zone PUBLIC interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set interfaces st0 unit 0 description "VPN"
set interfaces st0 unit 0 family inet address 172.4.4.4/31
//FW connect to SW(part of)
set security zones security-zone INTERNAL host-inbound-traffic system-services all
set security zones security-zone INTERNAL interfaces ae0.10 host-inbound-traffic system-services dhcp
//NAT config
set security nat source rule-set ALLOW_INTERNET from zone INTERNAL
set security nat source rule-set ALLOW_INTERNET to zone PUBLIC
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match source-address 172.3.3.0/24
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP match destination-address 0.0.0.0/0
set security nat source rule-set ALLOW_INTERNET rule ALLOW_INTERNET_IP then source-nat interface
//Policies
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match source-address 172.3.3.0/24
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match destination-address any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET match application any
set security policies from-zone INTERNAL to-zone PUBLIC policy ALLOW_TO_INTERNET then permit
set routing-options static route 0.0.0.0/0 next-hop 123.123.123.21