SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX-300 1-to-1 NAT not passing traffic

    Posted 12-02-2022 15:59
    I'm trying to route from a public IP to an internal web server, but it doesn't seem to be passing http traffic, here's what I have:
    set security nat static rule-set web1 from zone internet
    set security nat static rule-set web1 rule web1 match destination-address 1.2.3.4/32
    set security nat static rule-set web1 rule web1 then static-nat prefix 10.1.10.6/32
    set security nat proxy-arp interface ge-0/0/0.0 address 1.2.3.4/32
    set security policies from-zone internet to-zone trust policy web1 match source-address any
    set security policies from-zone internet to-zone trust policy web1 match destination-address web1
    set security policies from-zone internet to-zone trust policy web1 match application any
    set security policies from-zone internet to-zone trust policy web1 then permit
    set security address-book global address web1 10.1.10.6/32
    set security policies from-zone trust to-zone internet policy trust-internet match source-address web1
    set security policies from-zone trust to-zone internet policy trust-internet match destination-address any
    set security policies from-zone trust to-zone internet policy trust-internet match application any
    set security policies from-zone trust to-zone internet policy trust-internet then permit


    Where should I be looking?



  • 2.  RE: SRX-300 1-to-1 NAT not passing traffic
    Best Answer

     
    Posted 12-03-2022 04:03
    Hello,

    Can you try  out the below option and get me the output ?

    >show security match-policies from-zone <> to-zone <> source-ip <> destination-ip <> source-port 10.1.10.6 destination-port <> protocol 6
    >show security nat static rule all

    Also, did we test any other traffic and confirmed working ?
    To test and isolate, you can try setting policies to any any, with that we can confirm if any issues with policies or its with NAT 

    Regards,

    ------------------------------
    Brijil R
    ------------------------------



  • 3.  RE: SRX-300 1-to-1 NAT not passing traffic

    Posted 12-03-2022 06:41
    You configuration seems exactly like the sample.


    Could you try the connections both inbound and outbound and see what sessions exist using
    show security flow session source-prefix
    show security flow session destination-prefix

    These will confirm which policy is being used for the session and what nat is occurring.  It seems likely some other policy and/or nat rule is being applied due to order or scope of policy. Once this is identified we can see where to either move or change the interfering configuration.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: SRX-300 1-to-1 NAT not passing traffic

    Posted 12-19-2022 22:47
    Thanks for the help troubleshooting, I found there was another router with a similar IP on the network causing troubles.