SRX

Hello everyone,

I am new this community and I have trouble with configuring Dynamic VPN and Destination-NAT. It works properly when I configure just one of them. But once I set up these 2 feture, only Dyamic VPN works.
Is there any way to solve this?

My configuration is in attachment.

Thanks in advance.

Attachment(s)

SRX210_FW0001_config.txt   10 KB 1 version

You may use below configuration to turn off NAT for HTTPS connection that will be used for DVPN.

set security nat destination rule-set HTTP_DSTNAT rule No-NAT match destination-address 192.168.1.220/32
set security nat destination rule-set HTTP_DSTNAT rule No-NAT match destination-port 443
set security nat destination rule-set HTTP_DSTNAT rule No-NAT then destination-nat off

Please place this rule before your current NAT rule "r1", you can use the below command to achieve this.

"insert security nat destination rule-set HTTP_DSTNAT rule r1 after rule No-NAT"

Let me know if you have any questions.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi rsuraj,

Thank you for your help!

I put the rule-set and the command, and then some of parts of the page at 192.168.1.220( Real Address:10.10.0.22) , but it couldn't complete all parts of the page. It's just a static html page. Any addtional rule need?

Here is Updated my config.

set security nat destination pool POOL_HTTP address 10.10.0.22/32
set security nat destination pool POOL_HTTP address port 80
set security nat destination rule-set HTTP_DSTNAT from zone Internet
set security nat destination rule-set HTTP_DSTNAT rule No-NAT match destination-address 192.168.1.220/32
set security nat destination rule-set HTTP_DSTNAT rule No-NAT match destination-port 443
set security nat destination rule-set HTTP_DSTNAT rule No-NAT then destination-nat off
set security nat destination rule-set HTTP_DSTNAT rule r1 match destination-address 192.168.1.220/32
set security nat destination rule-set HTTP_DSTNAT rule r1 match destination-port 8080
set security nat destination rule-set HTTP_DSTNAT rule r1 then destination-nat pool POOL_HTTP
set security nat proxy-arp interface vlan.1 address 10.30.0.100/32 to 10.30.0.101/32

Thank you for your help again!

June2011

Hi June2011,

Thanks for the update. I dont think page not loading completely is related to NAT as NAT rule is just to change the IP destinations and in this case its happening.

Are you sure, the page dont have links to other address ? Also you can try changing the tcp mss value to avoid the page loading issues with fragmentation.

set security flow tcp-mss all-tcp mss 1300

For further investigation I would request yout o apply flow-traceoptions and see if the page is trying to open connections to other address or a pcak on the egress interface.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi Suraj,

I change the security polcy order from

 1)policy policy_in_dyn_vpn

 2)policy p1

to

 1)policy p1

 2)policy policy_in_dyn_vpn

then I tested and it works!

Thank you for your solution!

June2011