I did a destination NAT im vein (Which requires you to set a NET to IP and to port number) which will not work for me as I have over 20 servers behind the SRX and I control access to the different port via Security Policies,
I still see the web traffic in the web logs as if it was coming from my Lan Port of the Firewall 10.10.20.254 see logs below
2023-01-11 12:57:17 10.10.20.199 GET /DesktopModules/LiveSlider/Themes/v5/skin.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36
http://XXX.182.158.199/DesktopModules/LiveSlider/Themes/v5/skin.css 200 0 0 144
2023-01-11 12:57:17 10.10.20.199 GET /Portals/0/slide-bg.png - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36
http://XXX.182.158.199/ 200 0 0 299
2023-01-11 12:57:22 10.10.20.199 GET /Portals/0/favicon_20150724100627.ico - 80 - 10.10.20.254 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36
http://XXX.182.158.199/ 200 0 0 153
Original Message:
Sent: 1/11/2023 2:58:00 AM
From: ARENTAS BUTKUS
Subject: RE: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)
hackers coming from the trusted network?
Maybe you should do services in a separate zone, where you gradually segregate your zones.
I'm not an expert, but I would do destination NAT and only allow ports required for services.
Destination NAT
Juniper |
remove preview |
|
Destination NAT |
Destination NAT changes the destination address of packets passing through the Router. It also offers the option to perform the port translation in the TCP/UDP headers. Destination NAT mainly used to redirect incoming packets with an external address or port destination to an internal IP address or port inside the network. |
View this on Juniper > |
|
|
(I have to delete my code example, just to not to show the bad example)
Original Message:
Sent: 01-10-2023 16:23
From: JAY ECHOUAFNI
Subject: 1 to 1 Net is not passing the internet users IP (I see the Lan IP Instead)
I am setting up my SRX345. I set up a bunch of web servers with static nat as I have a full range of public IPs. So for every server I setup destination XXX.182.158.199 to a prefix of 10.10.20.254 I also set upk ARP Proxy and Set a security rule to allow Http.
But when I see the web logs of the server for the internet traffic. I see only my Lan IP 10.10.20.254 as the source IP for all the web users that are hitting my servers. This is also violating our security because all hackers trying to login to wordpress are now coming from my trusted network and are not being banned.
I have been asking about this for days but no one is responding.
Here is the part in my config
rule Win-server199-Nat {
match {
destination-address XXX.182.158.199/32;
}
then {
static-nat {
prefix {
10.10.20.199/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
XXX.182.158.1999/32;
}
}
}
}
---------------------------
JAY ECHOUAFNI
------------------------------