SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Website DNS ALG Issue

    Posted 02-21-2023 09:55
    Edited by Juniper Community Admin 09-01-2023 13:26


    Hi,

    we have a website(example.com) running inside our organisation , and a Public to private static NAT configured in our vSRX (103.10.10.10 - > 10.100.100.10), all the outside internet users can access the website (example.com) which is translating to public ip 103.10.10.10.

    The issue now is for the internal users , when they are trying to access this internal website (example.com) it resolves to public ip 103.10.10.10 ,  and it doesnt work.

    Please note that we dont have any DNS server internally , using google dns 8.8.8.8 and vSRX is running  21.4R3.15

    in this situation , i think DNS doctoring needs to be implemented , which can resolve the domain example.com to internal ip(10.100.100.10) instead of Public IP for the internal users.


    Following  is my configuration , could you help me to fix this issue.

    Static NAT

    ***************

    set security address-book global address INTERNAL_SUBNET 10.100.100.0/24
    set security address-book global address h-10.100.100.10 10.100.100.10/32
    set security nat destination pool web1 address 10.100.100.10/32

    set security nat destination rule-set rs1 rule 10 match destination-address 103.10.10.10/32
    set security nat destination rule-set rs1 rule 10 then destination-nat pool web1

    Security rule

    *****************

    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match source-address any
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match destination-address h-10.100.100.10
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match application http
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match application https
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then permit
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then log session-init
    set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then log session-close


    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match source-address INTERNAL_SUBNET
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match destination-address any
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match application junos-dns-udp
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then permit
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then log session-init
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then log session-close

    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match source-address INTERNAL_SUBNET
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match destination-address any
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match application any
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then permit
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then log session-init
    set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then log session-close


    root@myfw-vsrx-vSRX> show security alg status 
    ALG Status:
      DNS      : Enabled
      FTP      : Enabled
      H323     : Enabled
      MGCP     : Enabled
      MSRPC    : Enabled
      PPTP     : Enabled
      RSH      : Disabled
      RTSP     : Enabled
      SCCP     : Enabled
      SIP      : Enabled
      SQL      : Disabled
      SUNRPC   : Enabled
      TALK     : Enabled
      TFTP     : Enabled
      IKE-ESP  : Disabled
      TWAMP    : Disabled

    Regards,

    Ali