SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX NAT Address-Set Expansion

    Posted 02-14-2023 15:41

    Is there a way to expand the address-sets in a NAT policy to show all of the actual IPs in the NAT.

    For example I want to check to see if 192.168.1.1 is being natted somewhere.

    Sometimes I get lucky as there might be  a direct one-to-one nat and a simple show configuration  | display set | match 192.168.1.1  | match  "set security nat"

    However - more often than not 192.168.1.1 is a member of an address set (or mutliple address-sets) and that address-set is used in the nat rule-set

    So 192.168.1.1 is a member of CUSTOMER_NATS

    And the nat might be:  set security nat source ... match source-address-name CUSTOMER_NATS

    Is there a way to show the nat rule so that the address-set is expanded out to show all the actual IP values in "CUSTOMER_NATS"?



    ------------------------------
    RANDY PARLIER
    ------------------------------



  • 2.  RE: SRX NAT Address-Set Expansion

    Posted 02-14-2023 15:44
    Edited by spuluka 02-14-2023 15:45

    Sounds like you are looking for is the operational command:

    show security match-policies 

    This can then be restricted to source, destination or ports and look at the deployed policies to see where that selected option would be active.  This works against the deployed policy itself and not the raw configuration elements.

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/ref/command/show-security-match-policies.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX NAT Address-Set Expansion

    Posted 02-14-2023 18:08

    thank you for the reply.  I think what I'm trying to do is a little simpler than that.  I'm just trying to find out if an IP is being natted, and if it is being natted, what it is natted to.  I may not know what the source and or dest IP is going to be  -- doing recognizance to collect that information...

    Here's what I'm doing today:

      show configuration | display set | match 192.168.1.1 | match "set security nat" ==> no results

    Take out the match "set security nat" and run it again:   

    show configuration | display set | match 192.168.1.1

    Results of this command: (modified)
    set security address-book global address 192.168.1.1-32 192.168.1.1/32
    set security address-book global address-set CLIENT-SERVERS address 192.168.1.1-32
    set security address-book global address-set APP-SERVERS address 192.168.1.1-32
    set security address-book global address-set MORE-SERVERS address 192.168.1.1-32
    set security address-book global address-set OTHER-SVRS address 192.168.1.1-32

    set security address-book global address-set PROD-SERVERS address 192.168.1.1-32
    set security address-book global address-set VIP-SRVRS address 192.168.1.1-32
    set security address-book global address-set SERVERS-UAT address 192.168.1.1-32
    set security address-book global address-set SERVERS-CLIENT address 192.168.1.1-32
    set security address-book global address-set INTERNAL-SRVS address 192.168.1.1-32
    set security address-book global address-set ADD-SERVERS address 192.168.1.1-32
    set security address-book global address-set CLIENT2-SRVRS address 192.168.1.1-32

    So this IP is in eleven different address-sets.  Given that, I now manually run through each address-set looking for a nat:

    show configuration | display set | match CLIENT-SERVERS  | match "set security nat"

    show configuration | display set | match APP-SERVERS | match "set security nat"

    show configuration | display set | match MORE-SERVERS | match "set security nat"

    show configuration | display set | match .... etc. etc.

    Until somewhere along the way I might  find something like this:

       set security nat source rule-set BIG_NATS rule V-10-10-10-1 match source-address-name INTERNAL-SRVS

    Which tells me 192.168.1.1  will get source natted to 10.10.10.1  --> and that's basically the information I need.

    Obviously this can become very time consuming.  I was hoping there was a CLI command that essentially shows the expanded address-set so I can get the NAT assignment.  So if there were two IPs in INTERNAL-SRVS: 192.168.1.1 and 192.168.1.2;  I liked to have a command line output that expands the INTERNAL-SRVS from:

       set security nat source rule-set BIG_NATS rule V-10-10-10-1 match source-address-name INTERNAL-SRVS

    to

       set security nat source rule-set BIG_NATS rule V-10-10-10-1 match source 192.168.1.1

       set security nat source rule-set BIG_NATS rule V-10-10-10-1 match source 192.168.1.2

    or anything similiar to that where the IPs in the INTERNAL-SRVS address-set are extrapolated out.  

    At any rate just thought I'd ask in case there was some way to do it with the existing tools/commands already built in to the SRX.  Might end up having to script something up.

    <sorry for the long-winded response>



    ------------------------------
    RANDY PARLIER
    ------------------------------