SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Allow services on static NATed IP?

    Posted 01-14-2017 10:55

    Happy Saturday! Junos question for you. My public interface in Untrust zone is vlan.2 with IP (using examples here) 1.1.1.71. I use static NAT for 1.1.1.73 to 10.0.3.13/32.

    I allow pings to untrust but since the 73 IP is static NATed and not the IP of the public interface, I can't ping it. Also can't RDP to 10.0.3.13 despite allowing RDP in untrust policy - again because the 73 public IP is not in a zone.

    I can add interfaces to zones but not IPs.

    So how do I allow services like ping and RDP to a static NATed address?

    This is what I am researching today. Any ideas are welcome!

     

    P.S. I am using proxy arp too



  • 2.  RE: Allow services on static NATed IP?

    Posted 01-14-2017 11:50

    Hi wq,

     

    to allow RDP, ping etc. you just need to create a security policy from untrust to trust with the internal IP as the destination-address in the policy. If you look at the order of packet handling in the junos flow module below you can see that static and destination nat is handled before policies - so the only place you need to define the public IP is in nat (and proxy-arp...).


    Hope this helps.

     



  • 3.  RE: Allow services on static NATed IP?

    Posted 01-14-2017 17:59

    LATEST UPDATE: Got it working! See the code below for the change I had to make. I had to delete the static NAT that did not include ports and create static NAT for each port. Alternatively, I could have left the existing static NAT and simply placed the endor_33389 rule above it.

     

    will@srx# top show | compare
[edit security nat static]
!      inactive: rule-set yeti_server { ... }
[edit security nat static rule-set endor_server]
+      rule endor_33389 {
+          match {
+              destination-address 1.1.1.73/32;
+              destination-port 33389;
+          }
+          then {
+              static-nat {
+                  prefix {
+                      10.0.3.13/32;
+                      mapped-port 3389;
+                  }
+              }
+          }
+      }
+      rule endor_7777 {
+          match {
+              destination-address 1.1.1.73/32;
+              destination-port 7777;
+          }
+          then {
+              static-nat {
+                  prefix {
+                      10.0.3.13/32;
+                      mapped-port 7777;
+                  }
+              }
+          }
+      }
-      rule endor_static {
-          match {
-              destination-address 1.1.1.73/32;
-          }
-          then {
-              static-nat {
-                  prefix {
-                      10.0.3.13/32;
-                  }
-              }
-          }
-      }

[edit security nat static]
will@srx# top commit
commit complete

     

     

    Thanks for the help, jonashauge. However, it is still not working. I have a security policy, and I have the necessary NAT.

     

    I'm comparing two machines. RDP works for 10.0.3.11:3389 (1.1.1.71:33389) but RDP does NOT work for 10.0.3.13:3389 (1.1.1.73:33389).

     

    What's weird is that 10.0.3.13:7777 (1.1.1.73:7777) works just fine from outside. Because of that and because 33389 to 3389 gets translated correctly for the 1.1.1.71 IP the problem has something to do with the way the static NAT is translating 33389 to 3389, or vice versa.

     

    UPDATE: Apparently RDPing to 1.1.1.73:3389 (the default RDP port) DOES work from untrust to trust. However, I want to be translating that port. Why doesn't 1.1.1.73:33389 work?!

     

    See config below:

     

    First there is the definition of my public IP and the proxy-arp for the two consecutive IP numbers (71 and then 72-73), then zone membership:

     

    will@srx# show interfaces vlan.2
family inet {
    address 1.1.1.71/24;
}

will@srx# show security nat proxy-arp
interface vlan.2 {
    address {
        1.1.1.72/32 to 1.1.1.73/32;
    }
}

will@srx# show security zones security-zone untrust
screen untrust-screen;
host-inbound-traffic {
    system-services {
        ping;
        ssh;
        ftp;
    }
}
interfaces {
    vlan.2;
}

     

    Address book entries for the two trust zone RDP destinations:

    will@srx# show security address-book trust
address Terminus 10.0.3.11/32;
address Endor 10.0.3.13/32;
attach {
    zone trust;
}

     

    Then my NAT:

     

    will@srx# show security nat destination
pool dnat-10_0_3_11p3389 {
    address 10.0.3.11/32 port 3389;
}
pool dnat-10_0_3_13p3389 {
    address 10.0.3.13/32 port 3389;
}
rule-set port-forwarding {
    from zone untrust;
    rule terminus_3389 {
        match {
            destination-address 1.1.1.71/32;
            destination-port {
                33389;
            }
        }
        then {
            destination-nat {
                pool {
                    dnat-10_0_3_11p3389;
                }
            }
	rule endor_3389 {
        match {
            destination-address 1.1.1.73/32;
            destination-port {
                33389;
            }
        }
        then {
            destination-nat {
                pool {
                    dnat-10_0_3_13p3389;
                }
            }
        }
    }

will@srx# show security nat static
rule-set endor_server {
    from interface vlan.2;
    rule endor_static {
        match {
            destination-address 66.117.154.73/32;
        }
        then {
            static-nat {
                prefix {
                    10.0.3.13/32;
                }
            }
        }
    }
}

     

     

    Finally, my policy:

    will@srx# show security policies from-zone untrust to-zone trust
policy terminus-server {
    match {
        source-address any;
        destination-address Terminus;
        application [ TCP_7777 TCP_21025 TCP_3389 ];
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }
}
policy endor-server {
    match {
        source-address any;
        destination-address Endor;
        application [ TCP_7777 TCP_3389 ];
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }
}

    See below for my traceoptions. I've replace my source IP with 23.24.25.26. Traceoptions shows its permitted by policy but RDP fails.

     

    will@srx# show security flow traceoptions
file mytrace;
flag basic-datapath;
packet-filter untrust-to-trust {
    source-prefix 23.24.25.26/32;
    destination-prefix 1.1.1.73/32;
}
packet-filter trust-to-untrust {
    source-prefix 23.24.25.26/32;
    destination-prefix 23.24.25.26/32;
}

     

    Jan 15 01:38:22 01:38:22.747896:CID-0:RT:<23.24.25.26/30868->1.1.1.73/33389;6> matched filter untrust-to-trust:

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:packet [48] ipid = 18300, @0x43e7c224

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e7c000, rtbl_idx = 0

Jan 15 01:38:23 01:38:22.747896:CID-0:RT: flow process pak fast ifl 71 in_ifp vlan.2

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:  vlan.2:23.24.25.26/30868->1.1.1.73/33389, tcp, flag 2 syn

Jan 15 01:38:23 01:38:22.747896:CID-0:RT: find flow: table 0x54e0ea80, hash 5598(0xffff), sa 23.24.25.26, da 1.1.1.73, sp 30868, dp 33389, proto 6, tok 7

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:Found: session id 0xe8ad. sess tok 7

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:  flow got session.

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:  flow session id 59565

Jan 15 01:38:23 01:38:22.747896:CID-0:RT: vector bits 0x1002 vector 0x4abb6a40

Jan 15 01:38:23 01:38:22.747896:CID-0:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:flow_xlate_pak

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jan 15 01:38:23 01:38:22.747896:CID-0:RT:mbuf 0x43e7c000, exit nh 0x160010

Jan 15 01:38:23 01:38:22.747896:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Jan 15 01:38:23 01:38:23.195079:CID-0:RT:jsf sess close notify

Jan 15 01:38:23 01:38:23.195079:CID-0:RT:flow_ipv4_del_flow: sess 59565, in hash 32

Jan 15 01:38:23 01:38:23.195079:CID-0:RT:flow_ipv4_del_flow: sess 59565, in hash 32

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:<23.24.25.26/30877->1.1.1.73/33389;6> matched filter untrust-to-trust:

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:packet [52] ipid = 18306, @0x43e9a6a4

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e9a480, rtbl_idx = 0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT: flow process pak fast ifl 71 in_ifp vlan.2

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  vlan.2:23.24.25.26/30877->1.1.1.73/33389, tcp, flag 2 syn

Jan 15 01:39:42 01:39:42.813842:CID-0:RT: find flow: table 0x54e0ea80, hash 15406(0xffff), sa 23.24.25.26, da 1.1.1.73, sp 30877, dp 33389, proto 6, tok 7

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  flow_first_create_session

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:First path alloc and instl pending session, natp=0x5746fb70, id=59532

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  flow_first_in_dst_nat: in <vlan.2>, out <N/A> dst_adr 1.1.1.73, sp 30877, dp 33389

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  chose interface vlan.2 as incoming nat if.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_rule_dst_xlate: packet 23.24.25.26->1.1.1.73 nsp2 0.0.0.0->10.0.3.13.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 23.24.25.26, x_dst_ip 10.0.3.13, in ifp vlan.2, out ifp N/A sp 30877, dp 33389, ip_proto 6, tos 0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:Doing DESTINATION addr route-lookup

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_ipv4_rt_lkup success 10.0.3.13, iifl 0x47, oifl 0x48

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  routed (x_dst_ip 10.0.3.13) from untrust (vlan.2 in 0) to vlan.3, Next-hop: 10.0.3.13

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone trust (0x114,0x789d826d,0x826d)

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:Policy lkup: vsys 0 zone(7:untrust) -> zone(6:trust) scope:0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:             23.24.25.26/30877 -> 10.0.3.13/33389 proto 6

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  policy has timeout 900

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  permitted by policy mgmt-untrust(8)

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  packet passed, Permitted by policy.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_src_xlate:  incoming src port is : 30877.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  dip id = 0/0, 23.24.25.26/30877->23.24.25.26/30877 protocol 0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  choose interface vlan.3(P2P) as outgoing phy if

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.3, addr: 10.0.3.13, rtt_idx:0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:-jsf : Alloc sess plugin info for session 150323914892

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 150323914892, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:-jsf : no plugin interested for session 150323914892, free sess plugin info

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_service_lookup(): natp(0x5746fb70): app_id, 0(0).

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  service lookup identified service 0.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  flow_first_final_check: in <vlan.2>, out <vlan.3>

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:In flow_first_complete_session

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_complete_session: pak_ptr is xlated packet

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51f08a88, nsp: 0x5746fb70, in_tunnel: 0x0

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:construct v4 vector for nsp2

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  existing vector list 0x1002-0x4abb6a40.

Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  Session (id:59532) created for first pak 1002

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:first pak processing successful

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  flow_first_install_session======> 0x5746fb70

Jan 15 01:39:43 01:39:42.813842:CID-0:RT: nsp 0x5746fb70, nsp2 0x5746fc00

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  make_nsp_ready_no_resolve()

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:flow_ipv4_rt_lkup success 23.24.25.26, iifl 0x47, oifl 0x47

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  route lookup: dest-ip 23.24.25.26 orig ifp vlan.2 output_ifp vlan.2 orig-zone 7 out-zone 7 vsd 0

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  route to 1.1.1.1

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:no need update ha

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:Installing c2s NP session wing

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:Installing s2c NP session wing

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:get NULL sess plugin info 0x5746fb70

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:get NULL sess plugin info 0x5746fb70

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:get NULL sess plugin info 0x5746fb70

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:first path session installation succeeded

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  flow got session.

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  flow session id 59532

Jan 15 01:39:43 01:39:42.813842:CID-0:RT: vector bits 0x1002 vector 0x4abb6a40

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:flow_tcp_wsf_update: wsf 8

Jan 15 01:39:43 01:39:42.813842:CID-0:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:flow_xlate_pak

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jan 15 01:39:43 01:39:42.813842:CID-0:RT:mbuf 0x43e9a480, exit nh 0x160010

Jan 15 01:39:43 01:39:42.813842:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Jan 15 01:39:43 01:39:43.199366:CID-0:RT:jsf sess close notify

Jan 15 01:39:43 01:39:43.199366:CID-0:RT:flow_ipv4_del_flow: sess 59532, in hash 32

Jan 15 01:39:43 01:39:43.199366:CID-0:RT:flow_ipv4_del_flow: sess 59532, in hash 32

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:<23.24.25.26/30877->1.1.1.73/33389;6> matched filter untrust-to-trust:

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:packet [52] ipid = 18307, @0x43df4224

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43df4000, rtbl_idx = 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: flow process pak fast ifl 71 in_ifp vlan.2

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  vlan.2:23.24.25.26/30877->1.1.1.73/33389, tcp, flag 2 syn

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: find flow: table 0x54e0ea80, hash 15406(0xffff), sa 23.24.25.26, da 1.1.1.73, sp 30877, dp 33389, proto 6, tok 7

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow_first_create_session

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:First path alloc and instl pending session, natp=0x57469c80, id=59483

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow_first_in_dst_nat: in <vlan.2>, out <N/A> dst_adr 1.1.1.73, sp 30877, dp 33389

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  chose interface vlan.2 as incoming nat if.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_rule_dst_xlate: packet 23.24.25.26->1.1.1.73 nsp2 0.0.0.0->10.0.3.13.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 23.24.25.26, x_dst_ip 10.0.3.13, in ifp vlan.2, out ifp N/A sp 30877, dp 33389, ip_proto 6, tos 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:Doing DESTINATION addr route-lookup

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_ipv4_rt_lkup success 10.0.3.13, iifl 0x47, oifl 0x48

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  routed (x_dst_ip 10.0.3.13) from untrust (vlan.2 in 0) to vlan.3, Next-hop: 10.0.3.13

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone trust (0x114,0x789d826d,0x826d)

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:Policy lkup: vsys 0 zone(7:untrust) -> zone(6:trust) scope:0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:             23.24.25.26/30877 -> 10.0.3.13/33389 proto 6

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  policy has timeout 900

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  permitted by policy mgmt-untrust(8)

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  packet passed, Permitted by policy.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_src_xlate:  incoming src port is : 30877.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  dip id = 0/0, 23.24.25.26/30877->23.24.25.26/30877 protocol 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  choose interface vlan.3(P2P) as outgoing phy if

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.3, addr: 10.0.3.13, rtt_idx:0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:-jsf : Alloc sess plugin info for session 150323914843

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 150323914843, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:-jsf : no plugin interested for session 150323914843, free sess plugin info

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_service_lookup(): natp(0x57469c80): app_id, 0(0).

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  service lookup identified service 0.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow_first_final_check: in <vlan.2>, out <vlan.3>

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:In flow_first_complete_session

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_complete_session: pak_ptr is xlated packet

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51f08a88, nsp: 0x57469c80, in_tunnel: 0x0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:construct v4 vector for nsp2

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  existing vector list 0x1002-0x4abb6a40.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  Session (id:59483) created for first pak 1002

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:first pak processing successful

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow_first_install_session======> 0x57469c80

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: nsp 0x57469c80, nsp2 0x57469d10

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  make_nsp_ready_no_resolve()

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_ipv4_rt_lkup success 23.24.25.26, iifl 0x47, oifl 0x47

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  route lookup: dest-ip 23.24.25.26 orig ifp vlan.2 output_ifp vlan.2 orig-zone 7 out-zone 7 vsd 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  route to 1.1.1.1

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:no need update ha

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:Installing c2s NP session wing

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:Installing s2c NP session wing

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:get NULL sess plugin info 0x57469c80

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:get NULL sess plugin info 0x57469c80

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:get NULL sess plugin info 0x57469c80

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:first path session installation succeeded

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow got session.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  flow session id 59483

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: vector bits 0x1002 vector 0x4abb6a40

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_tcp_wsf_update: wsf 8

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: tcp 3way refresh, is_half_open:0, tcp_proxy enabled:0, is_fwauth:0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:flow_xlate_pak

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:  post addr xlation: 23.24.25.26->10.0.3.13.

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Jan 15 01:39:43 01:39:43.364912:CID-0:RT:mbuf 0x43df4000, exit nh 0x160010

Jan 15 01:39:43 01:39:43.364912:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Jan 15 01:39:43 01:39:43.915335:CID-0:RT:<23.24.25.26/30877->1.1.1.73/33389;6> matched filter untrust-to-trust:

Jan 15 01:39:43 01:39:43.915335:CID-0:RT:packet [48] ipid = 18308, @0x43e940a4

Jan 15 01:39:43 01:39:43.915335:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e93e80, rtbl_idx = 0

Jan 15 01:39:43 01:39:43.915335:CID-0:RT: flow process pak fast ifl 71 in_ifp vlan.2

Jan 15 01:39:43 01:39:43.915335:CID-0:RT:  vlan.2:23.24.25.26/30877->1.1.1.73/33389, tcp, flag 2 syn

Jan 15 01:39:43 01:39:43.915335:CID-0:RT: find flow: table 0x54e0ea80, hash 15406(0xffff), sa 23.24.25.26, da 1.1.1.73, sp 30877, dp 33389, proto 6, tok 7

     



  • 4.  RE: Allow services on static NATed IP?
    Best Answer

    Posted 01-14-2017 18:57

    Hi,

     

    The reason it is not working is because the port 33389 is not getting changed after the NAT :-

     

    Jan 15 01:39:42 01:39:42.813842:CID-0:RT:  23.24.25.26/30877 -> 10.0.3.13/33389 proto 6

    This is because :-

     

    • The configuration of the Destinatio NAT is correct for port conversion from 33389 to 3389.
    • However, there is a static NAT rule which will take preference over the Dest-NAT and hence the port is not getting converted to 3389.
    • Remove the Static NAT rule for the .73 IP and it should work for you.

     

    Hope this helps !

     

    Regards,

    Sahil Sharma
    ---------------------------------------------------
    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 5.  RE: Allow services on static NATed IP?

    Posted 01-14-2017 23:59
    Sahilsha is right. So was jonashauge. Static NAT is processed before DNAT so I had to add mapped-port to static NAT in config. See my previous post for solution.