So pinging from SRX (10.30.10.1) to remote subnet 10.55.52.199.
No reply. But work fine from remote to SRX.
technology@FWLON> monitor traffic interface st0.0 no-resolve detail
Address resolution is OFF.
Listening on st0.0, capture size 1514 bytes
18:36:13.660993 Out IP (tos 0x0, ttl 64, id 12338, offset 0, flags [none], proto: ICMP (1), length: 84) 81.148.202.146 > 10.55.52.199: ICMP echo request, id 55410, seq 2459, length 64
18:36:14.663862 Out IP (tos 0x0, ttl 64, id 12374, offset 0, flags [none], proto: ICMP (1), length: 84) 81.148.202.146 > 10.55.52.199: ICMP echo request, id 55410, seq 2460, length 64
And empty security flow...
technology@FWLON> show security flow session source-prefix 10.30.10.1
node0:
--------------------------------------------------------------------------
Total sessions: 0
node1:
--------------------------------------------------------------------------
Total sessions: 0
technology@FWLON> show security flow session interface st0.0
node0:
--------------------------------------------------------------------------
Total sessions: 0
node1:
--------------------------------------------------------------------------
Total sessions: 0
But at the same time hit number >0!!!
technology@FWLON> show security nat source rule TO-VPN_2
node0:
--------------------------------------------------------------------------
source NAT rule: TO-VPN_2
Rule set : trust-to-untrust
Rule Id : 1
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : NEW-London-Subnet
Destination addresses : VLAN52
VLAN54
DMZ150
DMZ151
India-LAN
AWS-VPC-Subnet
Action : off
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Persistent NAT block session: disabled
Translation hits : 7145
Successful sessions : 7142
Number of sessions : 0
and finally:
technology@FWLON> show security nat source summary
node0:
--------------------------------------------------------------------------
error: Error receiving data.
Total pools: 4294967295
node1:
--------------------------------------------------------------------------
error: Error receiving data.
Total pools: 4294967295
I have attached flow traceoptions with options below, hope it helps.
set security flow traceoptions file flow-trace_src-10.30.10
set security flow traceoptions flag all
set security flow traceoptions packet-filter F1 protocol icmp
set security flow traceoptions packet-filter F1 source-prefix 10.30.10.0/24
set security flow traceoptions packet-filter F1 destination-prefix 10.55.52.0/24
------------------------------
ILYA KOROBOV
------------------------------
Original Message:
Sent: 12-06-2022 06:18
From: STEVE PULUKA
Subject: SRX320 cluster Source NAT off doesn't work
Could you look at the session table so we can see what rule and interfaces are seen by the SRX for the traffic.
show security flow session source-prefix (ip address of local device)
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 12-05-2022 14:14
From: ILYA KOROBOV
Subject: SRX320 cluster Source NAT off doesn't work
Hi, Steve.
Thanks for your time.
st0.0 - 2 are exactly in the untrust.
II had this set up as well. The result is still the same.
technology@FWLON> monitor traffic interface st0.0Listening on st0.0, capture size 96 bytes19:14:34.998798 Out IP truncated-ip - 16 bytes missing! 81.1xx.2xx.xxx > 10.55.52.199: ICMP echo request, id 30814, seq 27, length 64
And zero hits of OFF rule as well.
Here is the config just in case. Or I misunderstood you?
technology@FWLON> show configuration security nat sourceinactive: rule-set LAN-to-VPN { from zone trust; to interface [ st0.0 st0.1 st0.2 ]; rule From_LAN-ro-Remote-Subnets { match { source-address-name NEW-London-Subnet; destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ]; } then { source-nat { off; } } }}rule-set trust-to-untrust { from zone trust; to zone untrust; rule TO-VPN_2 { match { source-address-name NEW-London-Subnet; destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ]; } then { source-nat { off; } } } rule OUTSIDE-NAT { description "LAN to Internet"; match { source-address-name NEW-London-Subnet; } then { source-nat { interface; } } }}rule-set RA-to-trust { description "Evaluate Energy Remote workers"; from zone VPN; to zone trust; rule London-RA { match { source-address 172.30.30.0/27; } then { source-nat { interface; } } }}
------------------------------
ILYA KOROBOV
Original Message:
Sent: 12-04-2022 20:14
From: STEVE PULUKA
Subject: SRX320 cluster Source NAT off doesn't work
If the st0 interfaces are part of the untrust zone, then add the no nat rule to the existing rule set and place it as the first of the two rules.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 12-04-2022 05:28
From: ILYA KOROBOV
Subject: SRX320 cluster Source NAT off doesn't work
Have my brain broken already. Everything seems to be configured correctly but...
Have cluster of SRV320 with latest 22.3R1.11 and site2site VPN configured.
Internet from LAN works.
Cannot reach devices on remote subnets but can reach devices in local subnet wo issues FROM remote subnets.
Policies and zone configuration not an issue as traffic leaves SRX.
> show security policies nat source rule all
Shoes no hits on the NAT policy with translation "off", only "interface" source NAT works.
With monitor traffic interface st0.0 see packets leaving NATed
> monitor traffic interface st0.0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on st0.0, capture size 96 bytes
09:56:11.291988 Out IP 81.1xx.2xx.1xx.57644 > 10.55.52.200.53: S 2766986770:2766986770(0) win 65535 <mss 9152,nop,wscale 1,nop,nop,timestamp 265672902 0,sackOK,eol>
^C
Configuration:
> show configuration security nat source
rule-set LAN-to-VPN {
from zone trust;
to interface [ st0.0 st0.1 st0.2 ];
rule From_LAN-ro-Remote-Subnets {
match {
source-address-name NEW-London-Subnet;
destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ];
}
then {
source-nat {
off;
}
}
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule OUTSIDE-NAT {
description "LAN to Internet";
match {
source-address-name NEW-London-Subnet;
}
then {
source-nat {
interface;
}
}
}
}
> show configuration security address-book
global {
address DMZ151 10.56.151.0/24;
address DMZ150 10.56.150.0/24;
address VLAN52 10.55.52.0/24;
address VLAN54 10.55.54.0/24;
address NEW-London-Subnet 10.30.10.0/24;
address India-LAN 192.168.42.0/24;
address AWS-VPC-Subnet 172.1xx.xx.xx/20;
> show configuration routing-options
static {
route 0.0.0.0/0 next-hop 81.xxx.xxx.xxx;
route 10.56.151.0/24 next-hop st0.0;
route 10.56.150.0/24 next-hop st0.0;
route 10.55.52.0/24 next-hop st0.0;
route 10.55.54.0/24 next-hop st0.0;
route 192.168.42.0/24 next-hop st0.1;
route 172.1xx.xx.xx/20 next-hop st0.2;
> show configuration interfaces st0
unit 0 {
description VPN-to-Office;
family inet;
}
unit 1 {
description VPN-to-India;
family inet;
}
unit 2 {
description AWS-VPC;
family inet;
------------------------------
ILYA KOROBOV
------------------------------