Security

 View Only
last person joined: 6 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  SRX320 cluster Source NAT off doesn't work

    Posted 12-04-2022 20:05
    Have my brain broken already. Everything seems to be configured correctly but...
    Have cluster of SRV320 with latest 22.3R1.11 and site2site VPN configured.
    Internet from LAN works.
    Cannot reach devices on remote subnets but can reach devices in local subnet wo issues FROM remote subnets.
    Policies and zone configuration not an issue as traffic leaves SRX.
    > show security policies nat source rule all 
    Shoes no hits on the NAT policy with translation "off", only "interface" source NAT works.

    With monitor traffic interface st0.0 see packets leaving NATed
    > monitor traffic interface st0.0 no-resolve
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is OFF.
    Listening on st0.0, capture size 96 bytes

    09:56:11.291988 Out IP 81.1xx.2xx.1xx.57644 > 10.55.52.200.53: S 2766986770:2766986770(0) win 65535 <mss 9152,nop,wscale 1,nop,nop,timestamp 265672902 0,sackOK,eol>
    ^C

    Configuration:
    > show configuration security nat source
    rule-set LAN-to-VPN {

    from zone trust;
    to interface [ st0.0 st0.1 st0.2 ];
    rule From_LAN-ro-Remote-Subnets {
    match {
    source-address-name NEW-London-Subnet;
    destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ];
    }
    then {
    source-nat {
    off;
    }
    }
    }
    }
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule OUTSIDE-NAT {
    description "LAN to Internet";
    match {
    source-address-name NEW-London-Subnet;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }

    > show configuration security address-book
    global {
    address DMZ151 10.56.151.0/24;
    address DMZ150 10.56.150.0/24;
    address VLAN52 10.55.52.0/24;
    address VLAN54 10.55.54.0/24;
    address NEW-London-Subnet 10.30.10.0/24;
    address India-LAN 192.168.42.0/24;
    address AWS-VPC-Subnet 172.1xx.xx.xx/20;

    > show configuration routing-options

    static {
    route 0.0.0.0/0 next-hop 81.xxx.xxx.xxx;
    route 10.56.151.0/24 next-hop st0.0;
    route 10.56.150.0/24 next-hop st0.0;
    route 10.55.52.0/24 next-hop st0.0;
    route 10.55.54.0/24 next-hop st0.0;
    route 192.168.42.0/24 next-hop st0.1;
    route 172.1xx.xx.xx/20 next-hop st0.2;

    > show configuration interfaces st0

    unit 0 {
    description VPN-to-Office;
    family inet;
    }
    unit 1 {
    description VPN-to-India;
    family inet;
    }
    unit 2 {
    description AWS-VPC;
    family inet;

    ------------------------------
    ILYA KOROBOV
    ------------------------------


  • 2.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-04-2022 20:15
    If the st0 interfaces are part of the untrust zone, then add the no nat rule to the existing rule set and place it as the first of the two rules.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-06-2022 06:15
    Hi, Steve.
    Thanks for your time.
    st0.0 - 2 are exactly in the untrust. 
    II had this set up as well. The result is still the same.
    technology@FWLON> monitor traffic interface st0.0
    Listening on st0.0, capture size 96 bytes
    
    19:14:34.998798 Out IP truncated-ip - 16 bytes missing! 81.1xx.2xx.xxx > 10.55.52.199: ICMP echo request, id 30814, seq 27, length 64
    ​

    And zero hits of OFF rule as well.
    Here is the config just in case. Or I misunderstood you?

    technology@FWLON> show configuration security nat source
    inactive: rule-set LAN-to-VPN {
        from zone trust;
        to interface [ st0.0 st0.1 st0.2 ];
        rule From_LAN-ro-Remote-Subnets {
            match {
                source-address-name NEW-London-Subnet;
                destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ];
            }
            then {
                source-nat {
                    off;
                }
            }
        }
    }
    rule-set trust-to-untrust {
        from zone trust;
        to zone untrust;
        rule TO-VPN_2 {
            match {
                source-address-name NEW-London-Subnet;
                destination-address-name [ VLAN52 VLAN54 DMZ150 DMZ151 India-LAN AWS-VPC-Subnet ];
            }
            then {
                source-nat {
                    off;
                }
            }
        }
        rule OUTSIDE-NAT {
            description "LAN to Internet";
            match {
                source-address-name NEW-London-Subnet;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    rule-set RA-to-trust {
        description "Evaluate Energy Remote workers";
        from zone VPN;
        to zone trust;
        rule London-RA {
            match {
                source-address 172.30.30.0/27;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }​


    ------------------------------
    ILYA KOROBOV
    ------------------------------



  • 4.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-06-2022 06:18
    Could you look at the session table so we can see what rule and interfaces are seen by the SRX for the traffic.

    show security flow session source-prefix (ip address of local device)

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-06-2022 15:58
      |   view attached
    So pinging from SRX (10.30.10.1) to remote subnet 10.55.52.199.
    No reply. But work fine from remote to SRX.

    technology@FWLON> monitor traffic interface st0.0 no-resolve detail
    Address resolution is OFF.
    Listening on st0.0, capture size 1514 bytes

    18:36:13.660993 Out IP (tos 0x0, ttl 64, id 12338, offset 0, flags [none], proto: ICMP (1), length: 84) 81.148.202.146 > 10.55.52.199: ICMP echo request, id 55410, seq 2459, length 64
    18:36:14.663862 Out IP (tos 0x0, ttl 64, id 12374, offset 0, flags [none], proto: ICMP (1), length: 84) 81.148.202.146 > 10.55.52.199: ICMP echo request, id 55410, seq 2460, length 64

    And empty security flow...

    technology@FWLON> show security flow session source-prefix 10.30.10.1
    node0:
    --------------------------------------------------------------------------
    Total sessions: 0

    node1:
    --------------------------------------------------------------------------
    Total sessions: 0

    technology@FWLON> show security flow session interface st0.0
    node0:
    --------------------------------------------------------------------------
    Total sessions: 0

    node1:
    --------------------------------------------------------------------------
    Total sessions: 0

    But at the same time hit number >0!!!
    technology@FWLON> show security nat source rule TO-VPN_2
    node0:
    --------------------------------------------------------------------------
    source NAT rule: TO-VPN_2
    Rule set : trust-to-untrust
    Rule Id : 1
    Rule position : 1
    From zone : trust
    To zone : untrust
    Match
    Source addresses : NEW-London-Subnet
    Destination addresses : VLAN52
    VLAN54
    DMZ150
    DMZ151
    India-LAN
    AWS-VPC-Subnet
    Action : off
    Persistent NAT type : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout : 0
    Max session number : 0
    Persistent NAT block session: disabled
    Translation hits : 7145
    Successful sessions : 7142
    Number of sessions : 0

    and finally:

    technology@FWLON> show security nat source summary
    node0:
    --------------------------------------------------------------------------
    error: Error receiving data.
    Total pools: 4294967295

    node1:
    --------------------------------------------------------------------------
    error: Error receiving data.
    Total pools: 4294967295

    I have attached flow traceoptions with options below, hope it helps.
    set security flow traceoptions file flow-trace_src-10.30.10
    set security flow traceoptions flag all
    set security flow traceoptions packet-filter F1 protocol icmp
    set security flow traceoptions packet-filter F1 source-prefix 10.30.10.0/24
    set security flow traceoptions packet-filter F1 destination-prefix 10.55.52.0/24








    ------------------------------
    ILYA KOROBOV
    ------------------------------

    Attachment(s)

    txt
    security-flow.txt   46 KB 1 version


  • 6.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-07-2022 05:54
    Traffic from the SRX is called "self traffic" in the Junos-host zone and does NOT get controlled by outside zone policy and nat.

    So the tests need to be run from a device in the controlled subnet NOT from the SRX gateway ip address.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: SRX320 cluster Source NAT off doesn't work

    Posted 12-07-2022 12:30
    Makes perfect sense and no questions about NAT off...
    I've ran tests from inside and everything is good.

    Thank you for your time and patience!

    ------------------------------
    ILYA KOROBOV
    ------------------------------