SRX

Hi All

 

I hope you can help me with my setup. I am trying to put a Dnat to a remote network on my trust but I get timeout on the browser. My setup below:

 

SRX240 IP 196.xxx.210.186 Gateway 196.xxx.210.185 int ge-0/0/10.0 (internet zone)

 IP 10.10.0.200 int ge-0/0/2.0 (trust zone)

Static routes:

192.168.72.24 --> 10.10.0.1

 

My config:

set security nat destination pool Dest-NAT-189-Xantium address 192.168.72.24/32

set security nat destination rule-set internet-to-DMZ rule Xantium-in match destination-address 196.xxx.210.189/32
set security nat destination rule-set internet-to-DMZ rule Xantium-in match destination-port 2000
set security nat destination rule-set internet-to-DMZ rule Xantium-in then destination-nat pool Dest-NAT-189-Xantium

set security nat proxy-arp interface ge-0/0/10.0 address 196.xxx.210.187/32 to 196.xxx.210.189/32

set security policies from-zone internet to-zone trust policy Xantium_Webserver match source-address any
set security policies from-zone internet to-zone trust policy Xantium_Webserver match destination-address Xantium_192.168.72.24/32
set security policies from-zone internet to-zone trust policy Xantium_Webserver match application tcp_2000
set security policies from-zone internet to-zone trust policy Xantium_Webserver then permit
set security policies from-zone internet to-zone trust policy Xantium_Webserver then log session-init

set routing-options static route 192.168.72.0/24 next-hop 10.10.0.1

 

Now I can ping and telnet to port 2000 from the SRX240, but not externally. Is is possible to DNAT to a remote host on the trust zone or it only work on directly connected networks?

 

johnm@CCIT-FW01> show security flow session |match 2000
  In: 196.xxx.163.169/59770 --> 196.xxx.210.189/2000;tcp, If: ge-0/0/10.0, Pkts: 4, Bytes: 659
  Out: 192.168.72.24/2000 --> 196.xxx.163.169/59770;tcp, If: ge-0/0/2.0, Pkts: 2, Bytes: 84

 

These sessions apprea on the J-Web policy logging on SESSION_CREATE & close but it's timing out on the remote browsers.

 

any help will be greatly appreciated.

 

 

Hi,

 

Is it possible to DNAT to a remote host on the trust zone or it only work on directly connected networks? Yes, it works for both directly connected networks and remote hosts.

 

From the session output, it is clear that destination NAT is happening, from 196.xxx.210.189/2000 to 192.168.72.24/2000. and security policy is fine too(assuming that Xantium_192.168.72.24/32 address book means 192.168.72.24).

 

Do you have a route on 192.168.72.24 for the 196.xxx.163.169 address , pointing towards SRX ? so that the reply comes back to SRX . 

 

As you mentioned that ,you are able to reach from SRX ,but not from externally, we can apply source nat in the same direction ( as dnat) , so that the source-address 196.xxx.163.169 gets translated to SRX trust interface address (10.10.0.200)  or any other address in the same network.

 

Hope this helps

Hi Pradeep

 

Yes there is a return route as a traceroute from the 192.168.72.24 works. But I have just noticed something odd. A traceroute to that network and a traceroute back to the external IP address seems to follow different paths, So there could be asymetric routing happening in their MPLS cloud, which happens after 192.168.72.0/0 is routed to 10.10.0.1.

 

Traceroute from 192.168.72.24 to 196.xxx.163.169 (an internet host) image attached &

 

My traceroute from SRX to the host:

traceroute to 192.168.72.24 (192.168.72.24), 30 hops max, 40 byte packets
 1  192.168.16.91 (192.168.16.91)  2.322 ms  1.704 ms  2.013 ms
 2  10.10.0.254 (10.10.0.254)  8.750 ms  2.844 ms  2.686 ms
 3  165.144.99.149 (1x5.144.99.149)  3.725 ms  4.654 ms  3.863 ms
 4  165.149.167.33 (1x5.149.167.33)  15.492 ms  11.849 ms  4.378 ms
 5  165.149.167.34 (1x5.149.167.34)  37.892 ms  38.493 ms  38.188 ms
 6  192.168.72.24 (192.168.72.24)  40.391 ms  43.495 ms  39.929 ms

Hi All,

Longing to ask a few questions about the SRX series gateway hopefully will get some answers over here

 

Doubts :

 

1. Can we incrase the bandwidth of the internal interface joining RE and PFE or it is the same for all the device models or does it vary from model to model . I suppose that the bandwidth is 100 mbps as per juniper datasheets. Correct me if i am wrong

 

2. Do we have any limit on the number of  terms i can define with in a routing policy and a firewall filter?

 

3. What is the default interface mtu size in junos platforms?

 

4. Maximum number of VLAN's that can be created on a physical interface ? Is it the 4096 or 1024 in Junos?

 

5. The switch which is connected to the 2 physical interfaces , which are combined together to form a Reth interface should it necessarily be a L2 switch or an L3 switch will also do the same functionality?

 

6. When i use Radius server in my authentication order , do i still need to have users mapped in my device? If yes how do i map only the usernames , because anyways authorization is already defined on the radius server

 

7.In Firewall Authentication, lets say there is a NAT enabled device before the firewall , once the user who has the right credential gets authenticated subsequently all the users will be given access to my server because authentication table entry is stored based on the ip address and not usernames. So how do i restrict that other users who dont have the credentials without accessing my server?

 

8. Shoud i use application as telnet , ftp and http in the security policy when i am using pass through authentication? Because pass through supports only ftp,http and telnet traffic?

 

9. Can we use the primary interface ip address as the web authentication ip address or is it mandatory that we define one more ip address on the interface as web auth ip

 

10. When is a real time scenario that we have 2 ip address defined on the interface and both being actually used?

 

NAT questions : 

 

11. How many actual translations can we have with 1 public IP when i disable PAT ?

 

12. What does this actually mean D-NAT will generate allow incoming packets for voip algs?

 

13. Can we use the same ip for S NAT and D NAT then wat is the use of static NAT?

 

14. When we r doing Static NAT , can we have both the internal and external communication happen at the same time , because  there can be only one translation per one public IP when i disable PAT?

 

15. In source NAT with address shifting , the user will bind private IP range to public ip range . 

 

Lets imagine my private range starts from 10.1.10.5 to 10.1.10.254

My public pool is from 100.1.1.1 to 100.1.1.200

 

I map my private base address to public address from 10.1.10.5 to 100.1.1.1

So lets say 10.1.10.5 gets translated to 100.1.1.1

 

What happens if 10.1.10.7 intiates a session before 10.1.10.6 will he be assigned 100.1.1.3 or 100.1.1.2

 

 

VPN : 

 

16.Can we actualy load balance between redundant VPN tunnels between two branch offices?

 

17.In the IPSEC header , what does the Next Header information mean?

After extensive testing I realised that Junpier just didn't like port 2000. So I have now changed to port 3000 and it's working with the same configuration. I did notice that port 2000 is assigned to junos-sccp service, under ALG but I do not have any ALG service configured. My other colleague has the same issue at another client with port 5650 and only option remains try changing port, which might not always be ideal