SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX320 - Destination NAT not working

    Posted 11-06-2022 06:23
    Edited by Michael Pappas 11-15-2022 13:02
    EDIT:

    I never could get my previous SRX300 or my new SRX320 working despite abandoning J-Web and carefully creating a new configuration from scratch with only the most basic rules and following numerous tutorials.

    I got my old crusty Cisco 3800 up and going no problem and also setup a pfSense box with no problems. These two are gloriously useful and graceful in comparison to SRX.


    Hi everyone, I am moving this production config from an SRX300 (failed) to an SRX320.
    My Destination NAT setup is not working - I can't access the internal web servers.
    Since everything is so similar and worked before, I'm really not sure what's going on.
    juniper-srx320-config-2022-11-05 - Pastebin.com
    I can see that the translations are being hit, but no sessions are being created.
    show security nat destination rule 
    
    Destination NAT rule: r2
      Rule set                   : rs1
      Description                : PowerSchool 443
      Rule Id                    : 2
      Rule position              : 2
      From zone                  : untrust
        Destination addresses    : 555.555.555.52   - 555.555.555.52
        Destination port         : 443             - 443
      Action                     : dst-nat-pool-powerschool
      Translation hits           : 239
        Successful sessions      : 0
      Number of sessions         : 0
    ​

    root@GATEWAY> show route
    
    inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 00:22:12
                        >  via pp0.0
    333.333.333.47/32  *[Local/0] 00:22:12
                           Local via pp0.0
    172.22.0.0/16      *[Direct/0] 00:27:25
                        >  via ge-0/0/1.0
    555.555.555.14/32   *[Direct/0] 00:22:12
                        >  via pp0.0
    ​


  • 2.  RE: SRX320 - Destination NAT not working

    Posted 11-06-2022 06:39
    All of the elements appear to be configured
    • Nat rule and pool
    • proxy arp
    • security policy
    The only unusual thing I see is this parameter on the 443 nat rule that is not on the other ports for this address.  What is this for? I'm not familiar with the command.
                                rule-session-count-alarm raise-threshold 4294967295 clear-threshold 1;
    Also during the test can you look at the active session table using the destination nat address
    show security flow session destination-address 172.22.1.27/32


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX320 - Destination NAT not working

    Posted 11-07-2022 05:56
    That rule-session-count-alarm is just an artifact from using J-Web. I've removed it.

    root@GATEWAY> show security flow session destination-prefix 172.22.1.27/32
    Total sessions: 0
    
    root@GATEWAY> show security flow session destination-prefix 172.22.1.0/24
    Session ID: 77309438102, Policy name: self-traffic-policy/1, Timeout: 6, Session State: Valid
      In: 172.22.1.38/62655 --> 172.22.1.1/161;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 122,
      Out: 172.22.1.1/161 --> 172.22.1.38/62655;udp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 140,
    
    Session ID: 55834603762, Policy name: self-traffic-policy/1, Timeout: 60, Session State: Valid
      In: 172.22.1.1/514 --> 172.22.1.17/514;udp, Conn Tag: 0x0, If: .local..0, Pkts: 2039, Bytes: 343961,
      Out: 172.22.1.17/514 --> 172.22.1.1/514;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 77309442367, Policy name: self-traffic-policy/1, Timeout: 1800, Session State: Valid
      In: 172.22.1.17/51469 --> 172.22.1.1/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 309, Bytes: 22036,
      Out: 172.22.1.1/22 --> 172.22.1.17/51469;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 312, Bytes: 38401,
    
    Session ID: 77309447908, Policy name: self-traffic-policy/1, Timeout: 2, Session State: Valid
      In: 172.22.25.164/16748 --> 172.22.1.1/43915;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 46,
      Out: 172.22.1.1/43915 --> 172.22.25.164/16748;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 46,
    Total sessions: 4
    
    root@GATEWAY> ​


    Is this warning relevant? I don't use fxp0.

    [edit]
    root@GATEWAY# show routing-options
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
    
    [edit]
    root@GATEWAY# commit and-quit
    [edit security]
      'nat'
        warning: Configuring NAT rule with match address 0.0.0.0/0 and source-nat/destination-nat off
        adds default reject route, causing fxp0's IP not accessible from outside subnets.
    commit complete
    Exiting configuration mode
    
    root@GATEWAY>
    


    ------------------------------
    Cole Tarbet
    ------------------------------



  • 4.  RE: SRX320 - Destination NAT not working

    Posted 11-07-2022 10:24
    I don't see any nat off rules in your posted configuration.

    The fxp0 port is not configured, so I assume you are not using the dedicated mgmt port.  So it would be best to explicitly disable the port which might clear this error.

    set interfaces fxp0 disable

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: SRX320 - Destination NAT not working

     
    Posted 11-07-2022 11:59
    Hello,

    Seems like the session itself is not built. 
    Can you apply the below trace and see what is dropping the packet ? 

    set security flow ​traceoptions file FLOWTRACE size 10m files 10

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter pf1 source-prefix x.x.x.x

    set security flow traceoptions packet-filter pf1 destination-prefix 555.555.555.52

    set security flow traceoptions packet-filter pf1 destination-port 443 

    commit and-quit

    > show log FLOWTRACE  | match drop 

    Regards,



    ------------------------------
    Brijil R
    ------------------------------