Junos OS

This message was posted by a user wishing to remain anonymous

I'm stuck on understanding why a set of static NAT entries appear to be taking effect for inbound traffic, but for outbound the traffic is instead being NATted using the egress interface. What's very odd about this is it's working in one routing instance but not in the other.

Story is this: I'm in the process of swinging from one ISP to another. I have the 2nd (new) ISP egress interface on an additional routing instance, and I'm using filters to send traffic out through that instance as I swing the internal hosts/subnets.

Once we've gracefully swung services over, I'll return to a single routing instance, but for now this has to get me through the cutover.

Below is a very simplified configuration set showing the relevant entries.

In this configuration, default routing instance is ISP1. Two internal hosts are modeled, each with their corresponding static nat and proxy-arp entries.

I'm using a filter on ingress traffic on the TRUST interface to determine whether to send that traffic out through ISP1 or ISP2 based on source IP.

Without the filter in place, both the web host on 192.168.1.10 and the FTP host on 192.168.1.11 are static mapped bidirectionally to their external IP (respectively, 1.1.1.10 and 1.1.1.11) on ISP1. Using a public service such as "whatismyip.com" confirms each host is being NATted with their static entry, and not the egress interface of 1.1.1.9.

When the filter is in place it should send traffic from web host 192.168.1.10 out through the 2nd routing instance and ISP2. It should get a static public NAT address of 2.2.2.10. 

INSTEAD, this host is being seen as the egress NAT of 2.2.2.9?

set security nat source rule-set internal-to-ISP1 from zone Trust
set security nat source rule-set internal-to-ISP1 to zone ISP1
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat interface
set security nat source rule-set internal-to-ISP2 from zone Trust
set security nat source rule-set internal-to-ISP2 to zone ISP2
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface
set security nat static rule-set ISP1-NAT from zone ISP1
set security nat static rule-set ISP1-NAT rule WEB match destination-address 1.1.1.10/32
set security nat static rule-set ISP1-NAT rule WEB then static-nat prefix 192.168.1.10/32
set security nat static rule-set ISP1-NAT rule FTP match destination-address 1.1.1.11/32
set security nat static rule-set ISP1-NAT rule FTP then static-nat prefix 192.168.1.11/32
set security nat static rule-set ISP2-NAT from zone ISP2
set security nat static rule-set ISP2-NAT rule WEB match destination-address 2.2.2.10/32
set security nat static rule-set ISP2-NAT rule WEB then static-nat prefix 192.168.1.10/32
set security nat static rule-set ISP2-NAT rule FTP match destination-address 2.2.2.11/32
set security nat static rule-set ISP2-NAT rule FTP then static-nat prefix 192.168.1.11/32
set security nat proxy-arp interface reth1.0 address 1.1.1.10/32
set security nat proxy-arp interface reth1.0 address 1.1.1.11/32
set security nat proxy-arp interface reth3.0 address 2.2.2.10/32
set security nat proxy-arp interface reth3.0 address 2.2.2.11/32
set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 match application junos-https
set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 then permit
set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 match application junos-https
set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 then permit
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match source-address any
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match destination-address host_192_168_1_10
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-https
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-ping
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 then permit
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match source-address any
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match destination-address host_192_168_1_11
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ftp
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ping
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 then permit
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match source-address any
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match destination-address host_192_168_1_10
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-https
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-ping
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 then permit
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match source-address any
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match destination-address host_192_168_1_11
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ftp
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ping
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 then permit
set security zones security-zone Trust interfaces reth0.0
set security zones security-zone ISP1 interfaces reth1.0 
set security zones security-zone ISP2 interfaces reth3.0 
set interfaces reth0 unit 0 description "internal LAN Trust"
set interfaces reth0 unit 0 family inet filter input ISP2-filter
set interfaces reth0 unit 0 family inet address 192.168.1.1/24
set interfaces reth1 unit 0 description "ISP1"
set interfaces reth1 unit 0 family inet address 1.1.1.9/27
set interfaces reth3 unit 0 description "ISP2"
set interfaces reth3 unit 0 family inet address 2.2.2.9/27
set firewall family inet filter ISP2-filter term 0 from source-address 192.168.1.10/32
set firewall family inet filter ISP2-filter term 0 then routing-instance ISP2-router
set firewall family inet filter ISP2-filter term 1 then accept
set routing-instances ISP2-router interface reth3.0
set routing-instances ISP2-router instance-type virtual-router
set routing-instances ISP2-router routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
set routing-options interface-routes rib-group inet ISP2-router-ribgroup
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options rib-groups ISP2-router-ribgroup import-rib inet.0
set routing-options rib-groups ISP2-router-ribgroup import-rib ISP2-router.inet.0
set routing-options auto-export disable

From you description the reverse static nat is not being correctly seen before the source nat general rule.  This would be a bug if happening.

A possible work around would be to add a statement to the source nat rule before the nat all to interface that would exclude nat for the specific ip addresses used in static nat.

set security nat source rule-set SR_SET_2 rule rule4 match source-address 10.150.45.0/24
set security nat source rule-set SR_SET_2 rule rule4 then source-nat off

set security nat source rule-set internal-to-ISP1 from zone Trust
set security nat source rule-set internal-to-ISP1 to zone ISP1

set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 192.168.1.10/32
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 192.168.1.11/32
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat off

set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat interface

set security nat source rule-set internal-to-ISP2 from zone Trust
set security nat source rule-set internal-to-ISP2 to zone ISP2

set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 192.168.1.10/32
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 192.168.1.11/32
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat off

set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface

Another possible work around is to reverse the direction the static nat rule is created from the internal zone to the isp zone.  I notice that the example is show this way rather than from internet zone to internal zone.  Perhaps that is why the bug is kicking in.

Documentation example.

https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 11-29-2023 15:45
From: Anonymous
Subject: Static/bidirectional NAT is being overridden by egress NAT?

This message was posted by a user wishing to remain anonymous

I'm stuck on understanding why a set of static NAT entries appear to be taking effect for inbound traffic, but for outbound the traffic is instead being NATted using the egress interface. What's very odd about this is it's working in one routing instance but not in the other.

Story is this: I'm in the process of swinging from one ISP to another. I have the 2nd (new) ISP egress interface on an additional routing instance, and I'm using filters to send traffic out through that instance as I swing the internal hosts/subnets.

Once we've gracefully swung services over, I'll return to a single routing instance, but for now this has to get me through the cutover.

Below is a very simplified configuration set showing the relevant entries.

In this configuration, default routing instance is ISP1. Two internal hosts are modeled, each with their corresponding static nat and proxy-arp entries.

I'm using a filter on ingress traffic on the TRUST interface to determine whether to send that traffic out through ISP1 or ISP2 based on source IP.

Without the filter in place, both the web host on 192.168.1.10 and the FTP host on 192.168.1.11 are static mapped bidirectionally to their external IP (respectively, 1.1.1.10 and 1.1.1.11) on ISP1. Using a public service such as "whatismyip.com" confirms each host is being NATted with their static entry, and not the egress interface of 1.1.1.9.

When the filter is in place it should send traffic from web host 192.168.1.10 out through the 2nd routing instance and ISP2. It should get a static public NAT address of 2.2.2.10. 

INSTEAD, this host is being seen as the egress NAT of 2.2.2.9?

set security nat source rule-set internal-to-ISP1 from zone Trust
set security nat source rule-set internal-to-ISP1 to zone ISP1
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP1 rule internal-to-ISP1 then source-nat interface
set security nat source rule-set internal-to-ISP2 from zone Trust
set security nat source rule-set internal-to-ISP2 to zone ISP2
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match source-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-ISP2 rule internal-to-ISP2 then source-nat interface
set security nat static rule-set ISP1-NAT from zone ISP1
set security nat static rule-set ISP1-NAT rule WEB match destination-address 1.1.1.10/32
set security nat static rule-set ISP1-NAT rule WEB then static-nat prefix 192.168.1.10/32
set security nat static rule-set ISP1-NAT rule FTP match destination-address 1.1.1.11/32
set security nat static rule-set ISP1-NAT rule FTP then static-nat prefix 192.168.1.11/32
set security nat static rule-set ISP2-NAT from zone ISP2
set security nat static rule-set ISP2-NAT rule WEB match destination-address 2.2.2.10/32
set security nat static rule-set ISP2-NAT rule WEB then static-nat prefix 192.168.1.10/32
set security nat static rule-set ISP2-NAT rule FTP match destination-address 2.2.2.11/32
set security nat static rule-set ISP2-NAT rule FTP then static-nat prefix 192.168.1.11/32
set security nat proxy-arp interface reth1.0 address 1.1.1.10/32
set security nat proxy-arp interface reth1.0 address 1.1.1.11/32
set security nat proxy-arp interface reth3.0 address 2.2.2.10/32
set security nat proxy-arp interface reth3.0 address 2.2.2.11/32
set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 match application junos-https
set security policies from-zone Trust to-zone ISP1 policy Outbound_https_to_ISP1 then permit
set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 match application junos-https
set security policies from-zone Trust to-zone ISP2 policy Outbound_https_to_ISP2 then permit
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match source-address any
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match destination-address host_192_168_1_10
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-https
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 match application junos-ping
set security policies from-zone ISP1 to-zone Trust policy WEB_from_ISP1 then permit
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match source-address any
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match destination-address host_192_168_1_11
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ftp
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 match application junos-ping
set security policies from-zone ISP1 to-zone Trust policy FTP_from_ISP1 then permit
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match source-address any
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match destination-address host_192_168_1_10
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-https
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 match application junos-ping
set security policies from-zone ISP2 to-zone Trust policy WEB_from_ISP2 then permit
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match source-address any
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match destination-address host_192_168_1_11
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ftp
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 match application junos-ping
set security policies from-zone ISP2 to-zone Trust policy FTP_from_ISP2 then permit
set security zones security-zone Trust interfaces reth0.0
set security zones security-zone ISP1 interfaces reth1.0 
set security zones security-zone ISP2 interfaces reth3.0 
set interfaces reth0 unit 0 description "internal LAN Trust"
set interfaces reth0 unit 0 family inet filter input ISP2-filter
set interfaces reth0 unit 0 family inet address 192.168.1.1/24
set interfaces reth1 unit 0 description "ISP1"
set interfaces reth1 unit 0 family inet address 1.1.1.9/27
set interfaces reth3 unit 0 description "ISP2"
set interfaces reth3 unit 0 family inet address 2.2.2.9/27
set firewall family inet filter ISP2-filter term 0 from source-address 192.168.1.10/32
set firewall family inet filter ISP2-filter term 0 then routing-instance ISP2-router
set firewall family inet filter ISP2-filter term 1 then accept
set routing-instances ISP2-router interface reth3.0
set routing-instances ISP2-router instance-type virtual-router
set routing-instances ISP2-router routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
set routing-options interface-routes rib-group inet ISP2-router-ribgroup
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options rib-groups ISP2-router-ribgroup import-rib inet.0
set routing-options rib-groups ISP2-router-ribgroup import-rib ISP2-router.inet.0
set routing-options auto-export disable