SRX Services Gateway
Reply
Contributor
willroute4food
Posts: 19
Registered: ‎11-06-2009
0

Destination NAT, SRX240, please help

[ Edited ]

Guys, how does this config look?  Basically wanting to nat anything coming from my untrusted zone on ports 443 and 25 to a specific server in the trusted zone.  Heres the config:

 


destination {
    pool exchange-int {
        address 172.16.x.x/32 port 25;
    }
    pool Exchange-OWA {
        address 172.16.x.x/32 port 443;
    }
    rule-set exchange-rs {
        from interface reth1.0;
    }
    rule-set SMTP_TEST {
        from zone untrust;
        rule Exchange-SMTP {
            match {
                destination-address 1.1.1.1/32;
                destination-port 25;
            }
            then {
                destination-nat pool exchange-int;
            }
        }
    }

     rule-set OWA_TEST {
        from zone untrust;
        rule XCHANGE-OWA {
            match {
                destination-address 1.1.1.1/32;
                destination-port 443;
            }
            then {
                destination-nat pool Exchange-OWA;
            }
        }
    }
}

 

 

Heres my security policy from zone untrust to zone trust

 

policy exchange-pol {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-smtp;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}

policy exchange-owa {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-https;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
        count;
    }
}

 

So I am getting NAT translation hits, but nothing happens.  Nothing is logged under my security policies...its almost as if its natting, and then never hitting my security policies at all!?!? Any help is appreciated fellas (and gals!)

 

Thanks,

Contributor
willroute4food
Posts: 19
Registered: ‎11-06-2009
0

Re: Destination NAT, SRX240

[ Edited ]

So my reth1.0 inter is programmed as say 1.1.1.1/29

When I try to configure proxy-arp I get this:

[edit security nat proxy-arp interface reth1.0]
  'address 1.1.1.1/32'
    Proxy ARP IP address range [1.1.1.1 1.1.1.1] overlaps with interface IP address range [1.1.1.1 1.1.1.1] defined on interface 'reth1.0'
error: configuration check-out failed

Whats up with that?    I thought I followed the config doc exactly??

Trusted Contributor
supcourt
Posts: 47
Registered: ‎11-10-2009

Re: Destination NAT, SRX240

you only use proxy-arp if the nat address isn't in use elsewhere. otherwise, the srx already knows about the ip address and will arp for it. see other posts on the forum for arp (yes, i found them as well when hunting down why some nat's were not working -- too bad the documentation just has a single paragraph on proxy-arp at the end of the nat section, but the recent appnote on nat is nice in showing how to use it).

Contributor
willroute4food
Posts: 19
Registered: ‎11-06-2009
0

Re: Destination NAT, SRX240

So I have no real need to turn on proxy-arp here because I have the natted outside address (reth1.0) assigned to that interface?  If this is so...thanks for the prompt response.

Trusted Contributor
supcourt
Posts: 47
Registered: ‎11-10-2009
0

Re: Destination NAT, SRX240

yes, if the address is already in use (like reth1.0), no need to put in the proxy-arp command.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.