SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Static/bidirectional NAT is being overridden by egress NAT?

    This message was posted by a user wishing to remain anonymous
    Posted 11-29-2023 15:46
    This message was posted by a user wishing to remain anonymous

    I'm stuck on understanding why a set of static NAT entries appear to be taking effect for inbound traffic, but for outbound the traffic is instead being NATted using the egress interface. What's very odd about this is it's working in one routing instance but not in the other.

    Story is this: I'm in the process of swinging from one ISP to another. I have the 2nd (new) ISP egress interface on an additional routing instance, and I'm using filters to send traffic out through that instance as I swing the internal hosts/subnets.

    Once we've gracefully swung services over, I'll return to a single routing instance, but for now this has to get me through the cutover.

    Below is a very simplified configuration set showing the relevant entries.

    In this configuration, default routing instance is ISP1. Two internal hosts are modeled, each with their corresponding static nat and proxy-arp entries.

    I'm using a filter on ingress traffic on the TRUST interface to determine whether to send that traffic out through ISP1 or ISP2 based on source IP.

    Without the filter in place, both the web host on 192.168.1.10 and the FTP host on 192.168.1.11 are static mapped bidirectionally to their external IP (respectively, 1.1.1.10 and 1.1.1.11) on ISP1. Using a public service such as "whatismyip.com" confirms each host is being NATted with their static entry, and not the egress interface of 1.1.1.9.

    When the filter is in place it should send traffic from web host 192.168.1.10 out through the 2nd routing instance and ISP2. It should get a static public NAT address of 2.2.2.10. 

    INSTEAD, this host is being seen as the egress NAT of 2.2.2.9?

    set security nat source rule-set internal-to-ISP1 from zone Trust
    set security nat source rule-set internal-to-ISP1 to zone ISP1
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat interface
    set security nat source rule-set internal-to-ISP2 from zone Trust
    set security nat source rule-set internal-to-ISP2 to zone ISP2
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface
    set security nat static rule-set ISP1-NAT from zone ISP1
    set security nat static rule-set ISP1-NAT rule WEB match destination-address 1.1.1.10/32
    set security nat static rule-set ISP1-NAT rule WEB then static-nat prefix 192.168.1.10/32
    set security nat static rule-set ISP1-NAT rule FTP match destination-address 1.1.1.11/32
    set security nat static rule-set ISP1-NAT rule FTP then static-nat prefix 192.168.1.11/32
    set security nat static rule-set ISP2-NAT from zone ISP2
    set security nat static rule-set ISP2-NAT rule WEB match destination-address 2.2.2.10/32
    set security nat static rule-set ISP2-NAT rule WEB then static-nat prefix 192.168.1.10/32
    set security nat static rule-set ISP2-NAT rule FTP match destination-address 2.2.2.11/32
    set security nat static rule-set ISP2-NAT rule FTP then static-nat prefix 192.168.1.11/32
    set security nat proxy-arp interface reth1.0 address 1.1.1.10/32
    set security nat proxy-arp interface reth1.0 address 1.1.1.11/32
    set security nat proxy-arp interface reth3.0 address 2.2.2.10/32
    set security nat proxy-arp interface reth3.0 address 2.2.2.11/32
    set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 match application junos-https
    set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 then permit
    set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 match application junos-https
    set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 then permit
    set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match source-address any
    set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match destination-address host_192_168_1_10
    set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-https
    set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-ping
    set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 then permit
    set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match source-address any
    set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match destination-address host_192_168_1_11
    set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ftp
    set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ping
    set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 then permit
    set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match source-address any
    set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match destination-address host_192_168_1_10
    set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-https
    set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-ping
    set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 then permit
    set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match source-address any
    set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match destination-address host_192_168_1_11
    set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ftp
    set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ping
    set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 then permit
    set security zones security-zone Trust interfaces reth0.0
    set security zones security-zone ISP1 interfaces reth1.0 
    set security zones security-zone ISP2 interfaces reth3.0 
    set interfaces reth0 unit 0 description "internal LAN Trust"
    set interfaces reth0 unit 0 family inet filter input ISP2-filter
    set interfaces reth0 unit 0 family inet address 192.168.1.1/24
    set interfaces reth1 unit 0 description "ISP1"
    set interfaces reth1 unit 0 family inet address 1.1.1.9/27
    set interfaces reth3 unit 0 description "ISP2"
    set interfaces reth3 unit 0 family inet address 2.2.2.9/27
    set firewall family inet filter ISP2-filter term 0 from source-address 192.168.1.10/32
    set firewall family inet filter ISP2-filter term 0 then routing-instance ISP2-router
    set firewall family inet filter ISP2-filter term 1 then accept
    set routing-instances ISP2-router interface reth3.0
    set routing-instances ISP2-router instance-type virtual-router
    set routing-instances ISP2-router routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
    set routing-options interface-routes rib-group inet ISP2-router-ribgroup
    set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
    set routing-options rib-groups ISP2-router-ribgroup import-rib inet.0
    set routing-options rib-groups ISP2-router-ribgroup import-rib ISP2-router.inet.0
    set routing-options auto-export disable



  • 2.  RE: Static/bidirectional NAT is being overridden by egress NAT?

    Posted 11-29-2023 19:17

    From you description the reverse static nat is not being correctly seen before the source nat general rule.  This would be a bug if happening.

    SRX Nat flow

    A possible work around would be to add a statement to the source nat rule before the nat all to interface that would exclude nat for the specific ip addresses used in static nat.

    set security nat source rule-set SR_SET_2 rule rule4 match source-address 10.150.45.0/24
    set security nat source rule-set SR_SET_2 rule rule4 then source-nat off

    set security nat source rule-set internal-to-ISP1 from zone Trust
    set security nat source rule-set internal-to-ISP1 to zone ISP1


    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 192.168.1.10/32
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 192.168.1.11/32
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat off


    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat interface


    set security nat source rule-set internal-to-ISP2 from zone Trust
    set security nat source rule-set internal-to-ISP2 to zone ISP2

    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 192.168.1.10/32
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 192.168.1.11/32
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat off


    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface

    Another possible work around is to reverse the direction the static nat rule is created from the internal zone to the isp zone.  I notice that the example is show this way rather than from internet zone to internal zone.  Perhaps that is why the bug is kicking in.

    Documentation example.

    https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Static/bidirectional NAT is being overridden by egress NAT?

    Posted 11-29-2023 21:47

    Using source-nat off for these explicit hosts isn't something I thought about. That's a good idea.

    That's a really good article too! Thank you. I'll need to spend some time reading and digesting it. This is exactly the kind of examples I was looking for before I started down this road and didn't find.

    Thank you!



    ------------------------------
    BRYAN JONES
    ------------------------------



  • 4.  RE: Static/bidirectional NAT is being overridden by egress NAT?

    Posted 12-01-2023 10:31

    Steve,

    Using "source-nat off" for those hosts did not work. However I used an approach identified by the article you provided that is working. It's a bit of a kludge, but I'm creating a single IP nat source pool and assigning it to each host with an additional rule in the nat source rule set, above the source nat interface line. Example:

    set security nat source pool ISP2_pool_for_WEB address 2.2.2.10/32
    set security nat source pool ISP2_pool_fpr_FTP address 2.2.2.11/32

    set security nat source rule-set internal-to-ISP2 from zone Trust
    set security nat source rule-set internal-to-ISP2 to zone ISP2
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_web match source-address 192.168.1.10/32
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_web match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_web then source-nat pool ISP2_pool_for_WEB
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_ftp match source-address 192.168.1.11/32
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_ftp match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule static_nat_for_ftp then source-nat pool ISP2_pool_fpr_FTP
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
    set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface

    I've only got 8 or 9 of these, so not a huge effort. I'll be able to clean this up after the cutover and we drop the first ISP and I no longer need the 2nd routing instance.

    Thank you for the advice and hint!

    -- Bryan



    ------------------------------
    BRYAN JONES
    ------------------------------