SRX Services Gateway
Reply
Visitor
indrabayu
Posts: 2
Registered: ‎07-01-2010
0

How to setup NAT or MIP on SRX series

Dear all,

 

I am the new member on this forum anyway, and so far i tried to learned how to configure it from basic.

Here i would like to show the current situation below:

 

 

We bought a old Juniper NS5GT from Juniper 5 years ago.  This week we bought a Juniper SRX100 to replace the NS5GT.
 
We have a dedicated line 512kbps symmetrical provided by a local ISP and given 5 public addresses. Presently we are using the old Juniper NS5GT FireWall but it is going to be replaced by a new Juniper SRX100.
We want to configure the new Juniper SRX100 to perform the same tasks as the old Juniper NS5GT but found out that we cannot just copy the config file from old to new because the OS is different -  the old is Netscreen, the new is JunOS.
 
We have configured the SRX100 following your Juniper tutorial but have encountered a problem with MIP while testing it online - mapping the private address of our servers  to their respective public address does not work.   Attached is the SRX100 config file which we have started with a basic config file trying to map our ftp server (private address 172.17.196) to the public address (121.58.190.133).  Attached is also the old NS5GT config file.   The FTP Server is connected at fe-0/0/3.0 on the trusted  VLAN. of the SRX100. The public address of the SRX100 is 121.58.190.130 which is configured at fe-0/0/0.0.   Static NAT and proxy ARP have been done for the ftp server as can be seen in the config file.   The ftp server can connect to the internet from the trusted zone but the outside world cannot access the ftp server using ftp://ftp.fairfield.co.id. whereby ftp.fairfield.co.id is the name for the public address 121.58.190.133.    When we ping 121.58.190.133 from the outside it seems to be alive but it is virtual because of the proxy ARP but we cannot ftp or telnet or remote desktop to the ftp server from the outside.
 
We have also 2 other servers (exchange server and bandwidthcontroller) to be MIP'ed but we need to get one server to work first before continuing with the other two.
 
Further Info:
SRX100 public address=121.58.190.130 configured on fe-0/0/0.0
DNS Servers=121.58.190.35, 121.58.191.35
Next Hop=121.58.190.29
VLAN address is 172.17.1.1/24 (members fe-0/0/1 to fe-0/0/7 inclusive)
 
Ftp Server is connected at fe-0/0/3.0  Its private address is 172.17.1.96 and its public address to be mapped is 121.58.190.133
 
Issue:   MIP (or Static NAT) is not working.   connection is good from trusted to untrusted zone but connection is not possible from outside to inside.
 
we need to map
exchange server  172.17.1.97  ------>  121.58.190.132
ftp server             172.17.1.96 ------->  121.58.190.133
bwcontroller         172.17.1.95 ------->  121.58.190.134
 
 
Please give any advise how to get the MIP (Static NAT) to work so that we can access the ftp server from the untrusted zone?
 
Sincerely Yours,
Bayu

 

Contributor
husni1984
Posts: 119
Registered: ‎06-10-2009
0

Re: How to setup NAT or MIP on SRX series

Hi Bayu,

 

I've already accessed your ftp server it seem well configured, It prompted me the user name and password.

 

Try to see the logs and NAT statistics to make sure the traffic is forwarded to your server.

 

Thanks and Regards,

 

 

Husni

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009
0

Re: How to setup NAT or MIP on SRX series

Config posted? 

 

I'd be more then happy to look at it, just the kind of fruit I can pick if you know what I mean :smileywink:

 

It does look like your FTP server is responding to internet requests though as mentioned above, perhaps upstream arp resolution was holding you down since you external addresses changed to that of your external interface when you went to the SRX?

Visitor
indrabayu
Posts: 2
Registered: ‎07-01-2010
0

Re: How to setup NAT or MIP on SRX series

[ Edited ]

Dear Husni,

 

The that you accessed was the old config from our Netscreen Juniper, yes those was working fine.

 

The issues is when i force the old config to my newer Juniper (SRX-100H) is totally won't work at all.

Here is the new config on my attached file below.

 

Please give me more advices from the expert....:smileyhappy:

 

Cheers,

 

 

Bayu

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.