Need port forwarding help please

last person joined: 4 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Need port forwarding help please

Jump to Best Answer

1. Need port forwarding help please

0 Recommend
Erdem
Posted 10-23-2015 14:01

Reply Reply Privately
I need to forward connections to my external IP to an internal device on a specific port and I can't seem to get is to work. I'm using the doc at http://www.juniper.net/documentation/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html
I suspect proxy ARP but it won't let me set it saying it conflicts with the IP on my outside interface.
1) Proxy ARP IP address range [x.x.x.146 x.x.x.146] overlaps with interface IP address range [x.x.x.146 x.x.x.146] defined on interface 'fe-0/0/7.0'

This is my first Juniper so any help is greatly appreciated!!

Here is my config so far:
destination {
            pool PLC {
                address 192.168.168.2/32 port 44818;
            }
            rule-set PLC {
                from zone Internet;
                rule PLC {
                    match {
                        destination-address x.x.x.146/32;
                        destination-port 44818;
                    }
                    then {
                        destination-nat pool PLC;
                    }
                }
            }
        }

from-zone Internet to-zone Internal {
            policy PLC_In {
                match {
                    source-address any;
                    destination-address PLCHost;
                    application any;
                }
                then {
                    permit;
                }
            }

Here is what I get when running show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0

Destination NAT rule: PLC                  Rule-set: PLC
Rule-Id                    : 1
Rule position              : 1
From zone                  : Internet
    Destination addresses    : x.x.x.146 -x.x.x.146

Destination port           : 44818
Action                     : PLC
Translation hits           : 66

And from running show security policies policy-name PLC_In detail
Policy: PLC_In, action-type: permit, State: enabled, Index: 13, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: Internet, To zone: Internal
Source addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
Destination addresses:
    PLCHost: 192.168.168.2/32
Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
2. RE: Need port forwarding help please

0 Recommend
spuluka
Posted 10-24-2015 05:01

Reply Reply Privately
You will not need proxy-arp if you are using the interface ip address. Proxy-arp is needed if the address is in the same subnet as the interface but not the interface address. The interface address itself will automatically respond to arp requests for its own address.

Your nat rule looks correct.

Your security policy is correctly formated. The zones should be the external internet zone (which seems correct) and the zone where the POST nat address exists 192.168.168.2/32.

Also confirm that the address object in the rule PLCHost is the post nat address 192.168.168.2/32

If all this checks out, add logging to the policy so you can have a trail.

And check the session table during the attempt to see that the session is created
show security flow sessions

References:
flow process
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Session checks
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21719

Destination nat troubleshooting
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21839
3. RE: Need port forwarding help please

0 Recommend
Erdem
Posted 10-26-2015 11:21

Reply Reply Privately
Thank you!! I would appreciate some help interpreting my results as I don't really understand them!! It looks to me like it should be working but I'm not really sure what some of the results mean. (seems some of the characters interpret as smileys when posted....sorry)
I ran nmap with the option nmap -p 44818 x.x.x.146 from my office at x.x.x.34

show security flow session source-prefix x.x.x.34 destination-port 44818
Session ID: 106864, Policy name: PLC_In/14, Timeout: 20, Valid
In: x.x.x.34/55753 --> x.x.x.146/44818;tcp, If: fe-0/0/7.0, Pkts: 1, Bytes: 44
Out: 192.168.168.2/44818 --> x.x.x.34/55753;tcp, If: vlan.0, Pkts: 0, Bytes: 0
Session ID: 107321, Policy name: PLC_In/14, Timeout: 20, Valid
In: x.x.x.34/6144 --> x.x.x.146/44818;tcp, If: fe-0/0/7.0, Pkts: 1, Bytes: 44
Out: 192.168.168.2/44818 --> x.x.x.34/6144;tcp, If: vlan.0, Pkts: 0, Bytes: 0
Total sessions: 2

Here is my show security flow
traceoptions {
    file flow-trace;
    flag basic-datapath;
    packet-filter web_to_trust {
        source-prefix x.x.x.34/32;
        destination-port 44818;
    }
}
tcp-mss {
    ipsec-vpn {
        mss 1350;
    }
}

and the show log flow-trace
Oct 26 12:09:08 DBTS clear-log[38917]: logfile cleared
Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.168.103

Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.117.179 port:0

Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: vlan.0->st0.1

Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.117.179

Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.117.179 port:0

Oct 26 12:09:19 12:09:19.287796:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: st0.1->st0.1

Oct 26 12:09:19 12:09:19.663197:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.168.103

Oct 26 12:09:19 12:09:19.663197:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.168.103 port:0

Oct 26 12:09:19 12:09:19.663197:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: vlan.0->vlan.0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:<x.x.x.34/54125->x.x.x.146/44818;6> matched filter web_to_trust:

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:packet [44] ipid = 20315, @0x43666e24

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43666c00, rtbl_idx = 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow process pak fast ifl 81 in_ifp fe-0/0/7.0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: fe-0/0/7.0:x.x.x.34/54125->x.x.x.146/44818, tcp, flag 2 syn

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: find flow: table 0x59263e58, hash 42337(0xffff), sa x.x.x.34, da x.x.x.146, sp 54125, dp 44818, proto 6, tok 6

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:check self-traffic on fe-0/0/7.0, in_tunnel 0x0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:retcode: 0x1

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:pak_for_self : proto 6, dst port 44818, action 0x0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow_first_create_session

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr x.x.x.146, sp 54125, dp 44818

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: x.x.x.146(44818) to 192.168.168.2(44818), rule/pool id 1/1.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip x.x.x.34, x_dst_ip 192.168.168.2, in ifp fe-0/0/7.0, out ifp N/A sp 54125, dp 44818, ip_proto 6, tos 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:Doing DESTINATION addr route-lookup

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: routed (x_dst_ip 192.168.168.2) from Internet (fe-0/0/7.0 in 0) to vlan.0, Next-hop: 192.168.168.2

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internal (0x110,0xd36daf12,0xaf12)

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:Policy lkup: vsys 0 zone(6:Internet) -> zone(8:Internal) scope:0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:             x.x.x.34/54125 -> 192.168.168.2/44818 proto 6

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: app 0, timeout 1800s, curr ageout 20s

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: permitted by policy PLC_In(14)

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: packet passed, Permitted by policy.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: dip id = 0/0, x.x.x.34/54125->x.x.x.34/54125 protocol 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 192.168.168.2, rtt_idx:0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf : Alloc sess plugin info for session 141734030694

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 140064100, impli mask(0x21), post_nat cnt 109926 svc req(0x0)

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:-jsf : no plugin interested for session 141734030694, free sess plugin info

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_service_lookup(): natp(0x600472f8): app_id, 0(0).

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: service lookup identified service 0.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow_first_final_check: in <fe-0/0/7.0>, out <vlan.0>

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_first_complete_session, pak_ptr: 0x592e5090, nsp: 0x600472f8, in_tunnel: 0x0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:construct v4 vector for nsp2

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: existing vector list 0x1002-0x51267b10.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: Session (id:109926) created for first pak 1002

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow_first_install_session======> 0x600472f8

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: nsp 0x600472f8, nsp2 0x60047378

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: make_nsp_ready_no_resolve()

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: route lookup: dest-ip x.x.x.34 orig ifp fe-0/0/7.0 output_ifp fe-0/0/7.0 orig-zone 6 out-zone 6 vsd 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: route to x.x.x.129

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:no need update ha

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:Installing c2s NP session wing

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:Installing s2c NP session wing

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow got session.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: flow session id 109926

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: vector bits 0x1002 vector 0x51267b10

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: tcp 3way refresh, is_half_open:0, is_fwauth:0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: tcp flags 0x2, flag 0x2

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: Got syn, x.x.x.34(54125)->x.x.x.146(44818), nspflag 0x1021, 0x20

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:flow_xlate_pak

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: post addr xlation: x.x.x.34->192.168.168.2.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: post addr xlation: x.x.x.34->192.168.168.2.

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 26 12:09:22 12:09:21.998885:CID-0:RT:mbuf 0x43666c00, exit nh 0x180010

Oct 26 12:09:22 12:09:21.998885:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:<x.x.x.34/54624->x.x.x.146/44818;6> matched filter web_to_trust:

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:packet [44] ipid = 45455, @0x436346a4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43634480, rtbl_idx = 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow process pak fast ifl 81 in_ifp fe-0/0/7.0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: fe-0/0/7.0:x.x.x.34/54624->x.x.x.146/44818, tcp, flag 2 syn

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: find flow: table 0x59263e58, hash 16083(0xffff), sa x.x.x.34, da x.x.x.146, sp 54624, dp 44818, proto 6, tok 6

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:check self-traffic on fe-0/0/7.0, in_tunnel 0x0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:retcode: 0x1

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:pak_for_self : proto 6, dst port 44818, action 0x0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow_first_create_session

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr x.x.x.146, sp 54624, dp 44818

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: x.x.x.146(44818) to 192.168.168.2(44818), rule/pool id 1/1.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip x.x.x.34, x_dst_ip 192.168.168.2, in ifp fe-0/0/7.0, out ifp N/A sp 54624, dp 44818, ip_proto 6, tos 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:Doing DESTINATION addr route-lookup

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: routed (x_dst_ip 192.168.168.2) from Internet (fe-0/0/7.0 in 0) to vlan.0, Next-hop: 192.168.168.2

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internal (0x110,0xd560af12,0xaf12)

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:Policy lkup: vsys 0 zone(6:Internet) -> zone(8:Internal) scope:0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:             x.x.x.34/54624 -> 192.168.168.2/44818 proto 6

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: app 0, timeout 1800s, curr ageout 20s

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: permitted by policy PLC_In(14)

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: packet passed, Permitted by policy.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: dip id = 0/0, x.x.x.34/54624->x.x.x.34/54624 protocol 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: choose interface vlan.0 as outgoing phy if

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.0, addr: 192.168.168.2, rtt_idx:0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf : Alloc sess plugin info for session 141734029085

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 140064100, impli mask(0x21), post_nat cnt 108317 svc req(0x0)

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:-jsf : no plugin interested for session 141734029085, free sess plugin info

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_service_lookup(): natp(0x5ff940f0): app_id, 0(0).

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: service lookup identified service 0.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow_first_final_check: in <fe-0/0/7.0>, out <vlan.0>

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_first_complete_session, pak_ptr: 0x592e5090, nsp: 0x5ff940f0, in_tunnel: 0x0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:construct v4 vector for nsp2

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: existing vector list 0x1002-0x51267b10.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: Session (id:108317) created for first pak 1002

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow_first_install_session======> 0x5ff940f0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: nsp 0x5ff940f0, nsp2 0x5ff94170

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: make_nsp_ready_no_resolve()

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: route lookup: dest-ip x.x.x.34 orig ifp fe-0/0/7.0 output_ifp fe-0/0/7.0 orig-zone 6 out-zone 6 vsd 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: route to x.x.x.129

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:no need update ha

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:Installing c2s NP session wing

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:Installing s2c NP session wing

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow got session.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: flow session id 108317

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: vector bits 0x1002 vector 0x51267b10

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: tcp 3way refresh, is_half_open:0, is_fwauth:0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: tcp flags 0x2, flag 0x2

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: Got syn, x.x.x.34(54624)->x.x.x.146(44818), nspflag 0x1021, 0x20

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:flow_xlate_pak

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: post addr xlation: x.x.x.34->192.168.168.2.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: post addr xlation: x.x.x.34->192.168.168.2.

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

Oct 26 12:09:22 12:09:22.271642:CID-0:RT:mbuf 0x43634480, exit nh 0x180010

Oct 26 12:09:22 12:09:22.271642:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.168.115

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.117.179 port:0

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: vlan.0->st0.1

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.117.179

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.117.179 port:0

Oct 26 12:09:25 12:09:25.757010:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: st0.1->st0.1

Oct 26 12:09:26 12:09:26.076707:CID-0:RT:ASL nat rule lookup: src_ip: 192.168.168.115

Oct 26 12:09:26 12:09:26.076707:CID-0:RT:ASL nat rule lookup: dst_ip: 192.168.168.115 port:0

Oct 26 12:09:26 12:09:26.076707:CID-0:RT:ASL nat rule lookup: lsys:0, ifp: vlan.0->vlan.0
4. RE: Need port forwarding help please
Best Answer

0 Recommend
spuluka
Posted 10-26-2015 16:48

Reply Reply Privately
These results do show that both your NAT and security policy are working as expected.

Are you able to test with actual application traffic to see if this is working?

There may not be any responses from the server from the data here. Perhaps the server firewall is engaged and not permitting the traffic.

Can you also test accessing the port from the local server lan.

Want to confirm that the SRX is the default gatway for this server. And there are no secondary NIC that might be creating asymmetrical traffic patterns.
5. RE: Need port forwarding help please

0 Recommend
Erdem
Posted 10-26-2015 17:10

Reply Reply Privately
Thank you for your time in looking at this!
I can successfully telnet into the device (a PLC so no on device traffic control at all) from any system on the local LAN on port 44818 and control it. I was testing from my office with telnet wanted a little more control and just didn't go back to the telnet session which just times out from outside.
The device does not have a secondary NIC and the SRX is it's default gateway.
There are a couple of VPNs but they are different subnets and VLANs
192.168.117.0
192.168.113.0
10.1.254.0
10.1.253.0
10.1.252.0
10.1.251.0
10.1.250.0
If you don't mind looking through it I can post my config.
6. RE: Need port forwarding help please

0 Recommend
Erdem
Posted 10-27-2015 10:22

Reply Reply Privately
I am a total idiot...I just accepted the word of the guy on the other side. I finally got creds and VPNed into the device - no default gateway!
Thank you so much for looking over my config. I wasn't confident in what I did as this is my first Juniper!
7. RE: Need port forwarding help please

0 Recommend
spuluka
Posted 10-27-2015 16:05

Reply Reply Privately
Thanks for the update. Glad you have it working.

Missing default gateway makes perfect sense as the cause.

SRX

Need port forwarding help please

Erdem10-23-2015 14:01

spuluka10-24-2015 05:01

Erdem10-26-2015 11:21

spuluka10-26-2015 16:48Best Answer

Erdem10-26-2015 17:10

Erdem10-27-2015 10:22

spuluka10-27-2015 16:05

1. Need port forwarding help please

2. RE: Need port forwarding help please

3. RE: Need port forwarding help please

4. RE: Need port forwarding help please Best Answer

5. RE: Need port forwarding help please

6. RE: Need port forwarding help please

7. RE: Need port forwarding help please

4. RE: Need port forwarding help please
Best Answer