Junos
Reply
Visitor
dgoymer
Posts: 8
Registered: ‎12-20-2009
0
Accepted Solution

Destination NAT

I've being trying to pinhole several ports through our SRX firewall to our internal network. I've found several examples online and PDF's but can't quite get the connection to work.

The configuration changes I'm trying to make are below. According to the logs the SRX is registering the translation request and passing it through to the correct Destination NAT rule then onto the correct DNAT pool, but the actual policy never picks it up. A show security flow session destination-port 85, shows no sessions. Interface ge/0/0/0.0 has been assiged the IP address 1.1.1.1 and this is the only IP address we have been allocated.

set security nat destination pool dnat-voip address 172.16.1.236/32 port 5060
set security nat destination pool dnat-sc1 address 172.16.1.235/32 port 18004
set security nat destination pool dnat-sc2 address 172.16.1.235/32 port 9000
set security nat destination pool dnat-sc3 address 172.16.1.235/32 port 85
set security nat destination rule-set dst-nat from interface ge-0/0/0.0
set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 5060
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-voip
set security nat destination rule-set dst-nat rule rule3 match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule rule3 match destination-port 18004
set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-sc1
set security nat destination rule-set dst-nat rule rule4 match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule rule4 match destination-port 9000
set security nat destination rule-set dst-nat rule rule4 then destination-nat pool dnat-sc2
set security nat destination rule-set dst-nat rule rule5 match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule rule5 match destination-port 85
set security nat destination rule-set dst-nat rule rule5 then destination-nat pool dnat-sc3
set security zones security-zone trust address-book address voipserver 172.16.1.236
set security zones security-zone trust address-book address videoserver 172.16.1.235
set security zones security-zone trust address-book address-set servergroup address voipserver
set security zones security-zone trust address-book address-set servergroup address videoserver
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SIP
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC1
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC2
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application SC3
set security policies from-zone untrust to-zone trust policy static-nat then permit

 

Any help is very much appreciated.

Regards

Distinguished Expert
Distinguished Expert
pk
Posts: 800
Registered: ‎10-09-2008
0

Re: Destination NAT

Hi

 

I would suggest that something is wrong with matching on application. Can you add another policy with same source and destination, and application "any"? Thus it will be possible to check if my guess is correct.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
dgoymer
Posts: 8
Registered: ‎12-20-2009
0

Re: Destination NAT

Thanks for your reply. I originally thought the same thing, I've tried opening up any application, and also any address, but still have the same issue. I've also moved the policy preference ahead of all other policies with the same result.

Distinguished Expert
Distinguished Expert
pk
Posts: 800
Registered: ‎10-09-2008
0

Re: Destination NAT

May be a good time to do some flow debugging

 

http://forums.juniper.net/t5/Day-One-Tips-Contest/Tips-for-debugging-on-the-SRX/td-p/61550

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
dgoymer
Posts: 8
Registered: ‎12-20-2009
0

Re: Destination NAT

I'm certainly no expert on reviewing traffic logs in Junos but the below appears to indicate it's not finding a suitable policy to pass the traffic through, even though I've tried a any to any on port any.

 

Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  policy search from zone untrust-> zone trust

Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

Jun 18 23:00:54 23:00:54.538980:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

Jun 18 23:00:54 23:00:54.538980:CID-0:RT:  flow find session returns error.

Jun 18 23:00:54 23:00:54.538980:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

Visitor
dgoymer
Posts: 8
Registered: ‎12-20-2009
0

Re: Destination NAT

Tuned the policy and moved it above all the VPN policies and it appears to now be working, thanks for all your assistance.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.