SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 33
Registered: ‎07-21-2016
0 Kudos

Destination NAT/Port NAT - Totally confused and in dire need of help

I've been getting my butt kicked by this - about 20 hours so far - and completely baffled.


I have an Amazon VPC with two subnets - Public and Private. Within the private subnets have two VM's.
I have an IPSEC tunnel between our office the the VPC at Amazon.

 

From our office network I can contact the two VM's via RDP without issue.

The problem I have is I also need to reach both of those VM's from outside our network for a few weeks.

 

I figured I could simply create a destination NAT rule that says traffic over X port gets directed to Y address over port Z

111.222.333.444:3387 -> 10.0.1.110:3389
(public IP of SRX)

 

 

Something like this:

create NAT destination pools for the two servers:
pool BPApplication {
address 10.0.1.110/32 port 3389;
pool BPApplication {
address 10.0.1.110/32 port 3389;

Create rule:

match
destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper
destination-port 3387;
then
destination-nat
pool
BPApplication;

match
destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper
destination-port 3388;
then
destination-nat
pool
BPSQL;

 


Following is the configuration I created, relevant to this need. It does not work and I have no idea why.

security {

nat {

destination {

pool BPApplication {

address 10.0.1.110/32 port 3389;

}

pool BPApplication {

address 10.0.1.110/32 port 3389;

}

rule-set rs1 {

from zone untrust;

rule r6 {

match {

destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper

destination-port {

3387;

}

}

then {

destination-nat {

pool {

BPApplication;

}

}

}

}

rule r7 {

match {

destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper

destination-port {

3388;

}

}

then {

destination-nat {

pool {

BPSQL;

}

}

}

}

}

}

}

policies {

from-zone untrust to-zone trust {

policy untrust-to-trust1 {

match {

source-address any;

destination-address BPApplication;

application any;

}

then {

permit;

}

}

policy untrust-to-trust2 {

match {

source-address any;

destination-address BPSQL;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone trust {

address-book {

address BPApplication 10.0.1.110/32;

address BPSQL 10.0.1.111/32;

}

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

bgp;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

ge-0/0/3.0;

ge-0/0/4.0;

irb.20;

st0.1;

st0.2;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

}

interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

dhcp;

tftp;

}

}

}

}

}

}

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address xxx.xxx.xxx.xx8/29; <-- Public IP on Juniper

}

}

}

st0 {

unit 1 {

family inet {

mtu 1436;

address 169.254.46.118/30;

}

}

unit 2 {

family inet {

mtu 1436;

address 169.254.44.66/30;

}

}

}

}

routing-options {

static {

route 10.0.0.0/16 next-hop [ st0.1 st0.2 ]; <-- These are the IPSEC ports carrying traffic to the VPC

route 0.0.0.0/0 next-hop xxx.xxx.xxx.xxx; <-- ISP Router within our /29

}

applications {

application BPApplication-RDP {

protocol tcp;

destination-port 3387;

}

application BPSQL-RDP {

protocol tcp;

destination-port 3388;

}

}

Super Contributor
Posts: 55
Registered: ‎08-05-2014
0 Kudos

Re: Destination NAT/Port NAT - Totally confused and in dire need of help

Hi DaleM,

 

Configuration looks good.

Is it possible to configure flow trace and see why is the packet getting dropped or is it actually reaching the SRX from internet side or not.

 

regards,

Guru Prasad

Contributor
Posts: 33
Registered: ‎07-21-2016
0 Kudos

Re: Destination NAT/Port NAT - Totally confused and in dire need of help

I have copied the entire configuration here.

I'm not sure how to setup a "flow trace".

I do have other rules that allow remote access to resources on our internal network. The servers in the Amazon VPC are reached through an ipsec tunnel.

 

 

 

## Last changed: 2017-02-19 20:53:14 CST
version 15.1X49-D60.7;
system {
host-name HSRX300;
domain-name stonemountainaccess.local;
backup-router xxx.xxx.xxx.150;
time-zone America/Chicago;
use-imported-time-zones;
root-authentication {
encrypted-password "$5$MisN.BKn$1Ah8LYfMHrvZ5rvCeLfeCKw8kZ0hdgiZJNL3ZHq7.XC";
}
name-server {
8.8.8.8;
8.8.4.4;
75.75.75.75;
75.75.75.76;
}
login {
user srxadmin {
uid 2000;
class super-user;
authentication {
encrypted-password "$5$YWGvMpY2$CjPkJ6TeNknFFUCTikaiFF/2x80cDnMDuhXPq2TnOE/";
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group jdhcp-group {
interface irb.20;
}
}
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/4.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/4.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 15;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 67.18.187.111 version 4;
server 129.250.35.251 version 4;
server 50.116.52.97 version 4;
}
}
security {
ike {
proposal ike-prop-vpn-xxxxxxx-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal ike-prop-vpn-xxxxxxx-2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ike-pol-vpn-xxxxxxx-1 {
mode main;
proposals ike-prop-vpn-xxxxxxx-1;
pre-shared-key ascii-text "xxxxxxx";
}
policy ike-pol-vpn-xxxxx-2 {
mode main;
proposals ike-prop-vpn-xxxxxxx-2;
pre-shared-key ascii-text "xxxxxxxx";
}
gateway gw-vpn-xxxxx-1 {
ike-policy ike-pol-vpn-xxxxxxx-1;
address 34.xxx.xxx.119;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
gateway gw-vpn-xxxxxxx-2 {
ike-policy ike-pol-vpn-xxxxxxx-2;
address 34.xxx.xxx.217;
dead-peer-detection;
no-nat-traversal;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal ipsec-prop-vpn-xxxxxx-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
proposal ipsec-prop-vpn-xxxxxx-2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec-pol-vpn-xxxxxx-1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-xxxxxx-1;
}
policy ipsec-pol-vpn-xxxxxx-2 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-xxxxxx-2;
}
vpn vpn-xxxxxx-1 {
bind-interface st0.1;
df-bit clear;
vpn-monitor {
source-interface st0.1;
destination-ip 169.xxx.xxx.117;
}
ike {
gateway gw-vpn-xxxxxx-1;
ipsec-policy ipsec-pol-vpn-xxxxxx-1;
}
}
vpn vpn-xxxxxx-2 {
bind-interface st0.2;
df-bit clear;
vpn-monitor {
source-interface st0.2;
destination-ip 169.xxx.xxx.65;
}
ike {
gateway gw-vpn-xxxxxx-2;
ipsec-policy ipsec-pol-vpn-xxxxxx-2;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1379;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool RMI-Nat-Pool {
address 192.xxx.xxx.130/24 port 3489;
}
pool Security-Cameras-100 {
address 192.xxx.xxx.7/32 port 100;
}
pool Security-Cameras-6036 {
address 192.xxx.xxx.7/32 port 6036;
}
pool BPSQL {
address 10.0.1.111/32 port 3388;
}
pool BPApplication {
address 10.0.1.110/32 port 3387;
}
rule-set rs1 {
from zone untrust;
rule r1 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3489;
}
}
then {
destination-nat {
pool {
RMI-Nat-Pool;
}
}
}
}
rule r4 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
100;
}
}
then {
destination-nat {
pool {
Security-Cameras-100;
}
}
}
}
rule r5 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
6036;
}
}
then {
destination-nat {
pool {
Security-Cameras-6036;
}
}
}
}
rule r2 {
match {
destination-address xxx.xxx.xxx.149/32;
destination-port {
3489;
}
}
then {
destination-nat {
pool {
RMI-Nat-Pool;
}
}
}
}
rule r6 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3387;
}
}
then {
destination-nat {
pool {
BPApplication;
}
}
}
}
rule r7 {
match {
destination-address xxx.xxx.xxx.148/32;
destination-port {
3388;
}
}
then {
destination-nat {
pool {
BPSQL;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy VLAN-GUEST {
match {
source-address VLAN-GUEST;
destination-address any-ipv4;
application any;
}
then {
deny;
}
}
policy trust-to-VLAN-GUEST {
match {
source-address any;
destination-address VLAN-GUEST;
application any;
}
then {
deny;
}
}
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy RMI-RDP {
match {
source-address any;
destination-address RMI-Server;
application any;
}
then {
permit;
}
}
policy Security-Cameras {
match {
source-address any;
destination-address Security-Cameras;
application any;
source-identity any;
}
then {
permit;
}
}
policy untrust-to-trust1 {
match {
source-address any;
destination-address BPApplication;
application BPApplication-RDP;
}
then {
permit;
}
}
policy untrust-to-trust2 {
match {
source-address any;
destination-address BPSQL;
application BPSQL-RDP;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address RMI-Server 192.xxx.xxx.130/32;
address Security-Cameras 192.xxx.xxx.7/32;
address VLAN-GUEST 192.xxx.xxx.0/24;
address BPApplication 10.0.1.110/32;
address BPSQL 10.0.1.111/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
irb.20;
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address xxx.xxx.xxx.148/29;
address xxx.xxx.xxx.149/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.xxx.xxx.xxx/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.xxx.xxx.2/24;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members WLAN-GUEST;
}
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
irb {
unit 20 {
family inet {
address 192.168.5.1/24;
}
}
}
st0 {
unit 1 {
family inet {
mtu 1436;
address 169.254.46.118/30;
}
}
unit 2 {
family inet {
mtu 1436;
address 169.254.44.66/30;
}
}
}
}
routing-options {
static {
route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
route 0.0.0.0/0 next-hop 173.xxx.xxx.150;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
access {
address-assignment {
pool WLAN-GUEST-POOL {
family inet {
network 192.168.5.0/24;
range junosRange {
low 192.168.5.10;
high 192.168.5.80;
}
dhcp-attributes {
maximum-lease-time 3600;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.5.1;
}
}
}
}
}
}
applications {
application BPApplication-RDP {
protocol tcp;
destination-port 3387;
}
application BPSQL-RDP {
protocol tcp;
destination-port 3388;
}
}
vlans {
WLAN-GUEST {
vlan-id 20;
l3-interface irb.20;
}
}

Highlighted
Contributor
Posts: 36
Registered: ‎05-15-2016
0 Kudos

Re: Destination NAT/Port NAT - Totally confused and in dire need of help

Hi Dale,

 

Please refer the below mentioned article and provide us with output of flow trace which help us to locate the exact issue and suggest you a solution :

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16108&actp=search

 

-Regards,

Rishi Surana