Junos OS

when i use

run ping 202.175.3.3 interface ge-0/0/1

it doesn't work, however, if I use the command below, it work good

run ping 202.175.3.3 interface ge-0/0/0

I think is the problem about NAT

admin# run show security nat interface-nat-ports
Pool   Total  Single ports  Single ports  Twin ports  Twin ports
index  ports     allocated     available   allocated   available
    0  64510             0         63486           0        1024
    1  64510             0         63486           0        1024
    2  64510             0         63486           0        1024
    3  64510             0         63486           0        1024
    4  64510             0         63486           0        1024
    5  64510             0         63486           0        1024
    6  64510             0         63486           0        1024
    7  64510             0         63486           0        1024

Could someone please help my fix this?

Attachment is my configuration txt file

Attachment(s)

srx.txt   11 KB 1 version

Hi,

the problem is indeed NAT related. The problem is, that you define your NAT rule as from zone trust to zone untrust. If you generate self traffic on the SRX, the source zone is always a built in (and invisible) zone junos-self. Therefore your NAT rule does not match on this traffic and you send out packets with RFC1918 addresses out to the Internet. No surprise that the return packets never arrive (or your ISP does discard them when they reach its PE router).

The same problems causes that you can't create traffic on the firewall itself towards a policy based VPN tunnel as the policy with action tunnel is also defined on a source zone and self sourced traffic has never such a zone as source.

Unfortunatly, the junos-self zone can't be included in a policy or NAT rule configuration.

Regards,

Dominik

Thank you for you reply

In addition

is anything wrong about my configuration?

especially for VPN and NAT

since if I want test it with a PC connected to that SRX

I need to go to my customer server room, so I want to ensure everything work before perform on-site test

or is there another method I can use to test the VPN and NAT remotely

Here is the result about VPN, is it mean every go right in VPN part?

admin# run show security ipsec security-associations
  Total active tunnels: 3
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <2    202.175.119.124  500   ESP:3des/md5    d5f7db2  624/  unlim   -   0
  >2    202.175.119.124  500   ESP:3des/md5    a3f6833e 624/  unlim   -   0
  ❤️    202.175.119.124  500   ESP:3des/md5    c13a5694 705/  unlim   -   0
  >3    202.175.119.124  500   ESP:3des/md5    a3f6833f 705/  unlim   -   0
  <4    202.175.119.124  500   ESP:3des/md5    79c0ce8  764/  unlim   -   0
  >4    202.175.119.124  500   ESP:3des/md5    a3f68340 764/  unlim   -   0

Hi,

your config looks reasonable to me on the first view. I personally prefer route based VPN instead of policy based because I like that there is only one place that points to the next-hop of a packet - the routing table where the policies should imho only be an overlay that permits or discards specific packets. But of course policy based VPN works and is full supported, so nothing really bad when them.

So you could delete the st0 interface as it is not used.

Regards,

Dominik

thank you for your hel

it is gread help to me

excuse me, may I ask one more question

is it necessary to configure pair-policy for policy-based VPN?

You are welcome! Yes, you should use the pair policy statement to link the return traffic to the same SA pair.