Junos OS

last person joined: 3 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Destination NAT

    Posted 06-17-2011 20:09

    I've being trying to pinhole several ports through our SRX firewall to our internal network. I've found several examples online and PDF's but can't quite get the connection to work.

    The configuration changes I'm trying to make are below. According to the logs the SRX is registering the translation request and passing it through to the correct Destination NAT rule then onto the correct DNAT pool, but the actual policy never picks it up. A show security flow session destination-port 85, shows no sessions. Interface ge/0/0/0.0 has been assiged the IP address 1.1.1.1 and this is the only IP address we have been allocated.

    set security nat destination pool dnat-voip address 172.16.1.236/32 port 5060
    set security nat destination pool dnat-sc1 address 172.16.1.235/32 port 18004
    set security nat destination pool dnat-sc2 address 172.16.1.235/32 port 9000
    set security nat destination pool dnat-sc3 address 172.16.1.235/32 port 85
    set security nat destination rule-set dst-nat from interface ge-0/0/0.0
    set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.1/32
    set security nat destination rule-set dst-nat rule rule2 match destination-port 5060
    set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-voip
    set security nat destination rule-set dst-nat rule rule3 match destination-address 1.1.1.1/32
    set security nat destination rule-set dst-nat rule rule3 match destination-port 18004
    set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-sc1
    set security nat destination rule-set dst-nat rule rule4 match destination-address 1.1.1.1/32
    set security nat destination rule-set dst-nat rule rule4 match destination-port 9000
    set security nat destination rule-set dst-nat rule rule4 then destination-nat pool dnat-sc2
    set security nat destination rule-set dst-nat rule rule5 match destination-address 1.1.1.1/32
    set security nat destination rule-set dst-nat rule rule5 match destination-port 85
    set security nat destination rule-set dst-nat rule rule5 then destination-nat pool dnat-sc3
    set security zones security-zone trust address-book address voipserver 172.16.1.236
    set security zones security-zone trust address-book address videoserver 172.16.1.235
    set security zones security-zone trust address-book address-set servergroup address voipserver
    set security zones security-zone trust address-book address-set servergroup address videoserver
    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SIP
    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC1
    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC2
    set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC3
    set security policies from-zone untrust to-zone trust policy static-nat then permit

     

    Any help is very much appreciated.

    Regards



  • 2.  RE: Destination NAT

    Posted 06-18-2011 01:31

    Hi

     

    I would suggest that something is wrong with matching on application. Can you add another policy with same source and destination, and application "any"? Thus it will be possible to check if my guess is correct.



  • 3.  RE: Destination NAT

    Posted 06-18-2011 01:57

    Thanks for your reply. I originally thought the same thing, I've tried opening up any application, and also any address, but still have the same issue. I've also moved the policy preference ahead of all other policies with the same result.



  • 4.  RE: Destination NAT
    Best Answer

    Posted 06-18-2011 02:02

    May be a good time to do some flow debugging

     

    http://forums.juniper.net/t5/Day-One-Tips-Contest/Tips-for-debugging-on-the-SRX/td-p/61550



  • 5.  RE: Destination NAT

    Posted 06-18-2011 04:10

    I'm certainly no expert on reviewing traffic logs in Junos but the below appears to indicate it's not finding a suitable policy to pass the traffic through, even though I've tried a any to any on port any.

     

    Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  policy search from zone untrust-> zone trust

    Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

    Jun 18 23:00:54 23:00:54.538980:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

    Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  flow find session returns error.

    Jun 18 23:00:54 23:00:54.538980:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)



  • 6.  RE: Destination NAT

    Posted 06-18-2011 04:30

    Tuned the policy and moved it above all the VPN policies and it appears to now be working, thanks for all your assistance.