SRX

Hi,

I have setup a static nat for my webservers in the trust zone. I can access the websites just fine from outside of the network but i cannot access the websites from inside.

I have setup the proxy-arp, rule-set rules in static nat and policy from untrust to trust to allow the traffic.

Thanks.

Hi,

To which zone belong the inside ?

did you try to run debug flow ?

(set security flow traceoptions ...)

Inside = Trust Zone.

Yes, I did try to run debug flow. I'm having a hard time interpreting it as i am new with this stuff. I ahve attached a copy of the flow-trace.

Here are parts of my config file that relates to the issue. Is there anything else im missing to get the static nat working from my trust zone? I have read about the "from-zone untrust to-zone junos-global" config but i couldn't figure out how to format the "static_nat_ip " destination address.

ge-0/0/0 {
        unit 0 {
            description "WAN port";
            proxy-arp;
            family inet {
                address <wan ip>;
            }

 nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set static-nat {
                from zone untrust;
               rule my_website{
                    match {
                        destination-address <dedicated public ip for this website>/32;
                    }
                    then {
                        static-nat prefix 172.16.0.202/32; //private ip of my webserver.
                    }
                }
 

proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    <dedicated public ip for this website>/32;

}

}

 policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy aubreyallowall {
                match {
                    source-address any;
                    destination-address aubrey;
                    application any;
                }
                then {
                    permit;
                }
            }
           
            policy allow_web {
                match {
                    source-address any;
                destination-address web_servers;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }

Attachment(s)

Flowtrace.txt   4 KB 1 version

Greetings!

The reason is simple!

The static NAT rule does not match the traffic generated from your Inside (or trust) zone. Your static rule matches traffic from untrust zone and any traffic from untrust zone gets natted and you are able to reach the internet.

In order to be able to reach the webserver from untrust and trust zone using the same Public IP address you will need to configure the following:

1. Static NAT rule:

static {
            rule-set static-nat {
                from routing-instance default;
               rule my_website{
                    match {
                        destination-address <dedicated public ip for this website>/32;
                    }
                    then {
                        static-nat prefix 172.16.0.202/32; //private ip of my webserver.
                    }
                }

This matches any traffic coming in from default routing instance.

2. Apply proxy arp or have the devices in trust zone point there default gateway towards the SRX internal (trust) IP so that packets reach the SRX

3. Change the source IP of the traffic.

 nat {
        source {
            rule-set trust-to-trust {
                from zone trust;
                to zone trust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

Without the third step, after the packet's destination address gets NAT'ed and it reaches the webserver, the source address remains unchanged and in most cases can belong to same subnet as that of webserver (private) ip. If thats the case the web server will try to get MAC of that IP by sending ARPs instead of sending the reply packet back to SRX which will never work.

Hope this helps!

Regards,

Kinshuk

Please do remember to create a security policy from zone trust to zone trust and permit the same.

it worked. thank you for explaining it to me as well instead of just giving me what to type.

Many thanks Kinshuk Chakladar. You are champion.