SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  No ping Proxy-ARP from LAN/DMZ

    Posted 07-22-2016 14:07

    Hello,

    We have a problem with proxy-arp.
    Currently I use multiple IP on interface ge0/0/0 with proxy ARP, each IP have src and dst NAT.
    From external I can ping these IP and I access to open port, but if I ping one IP (in proxy) from LAN/DMZ we haven't response...
    It's very strange because if I ping IP from Juniper SSH i have "ping: sendto: Can't assign requested address".
    Alone IP interface responds of ping from LAN.

    So to resolve this problem I think to add route to other interface with other gateway but I have same problem.
    Yet I view route with show route and if I ping IP (proxy) from WAN backup I have a response...

    Have you an idea to resolve this problem ?
    Best regards.
    Charlie



  • 2.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-22-2016 21:11

    Hello,

     

     

    First of all I wanted to confirm if I have understood the problem correctly which is as follows:-

     

    • You have configured multiple IP addresses on your ge-0/0/0 interface so that it does proxy arp for it and users from the external side of the SRX can access the resources which are being NATd using these IP addresses. 
    • The external users are able to access resources using these IP addresses but when you try to reach the same IP addreses from your LAN / DMZ zone, it does not work.

    First of all could you share the confoguration of how you are acheiving the proxy-arp . I need to check if you have configured  multiple IP addresses on the interface itself or you have configured proxy-arp under the heirarchy edit security nat proxy-arp.

     

    Also share the complete configuration of one server which you are trying to NAT on SRX using one of these IP addresses and you are failing to access it from behind LAN/DMZ zone but are able to access it from external zone users.

     

    IMO if i am correct with my understanding of the problem then you will need the configuration as in the below KB article:-

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17448&smlogin=true&actp=search

     

    Thanks,
    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂

     



  • 3.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-25-2016 03:13

    Hello,  

     

    Thank you for your answer.

    My config (partially) :

    interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address XXX.XX.XX.90/29;
            }
        }
    }
    [...]
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop XXX.XX.XX.89;
    }
}

nat {
        source {
            pool IP_XXX_90 {
                description "IP XXX principale";
                address {
                    XXX.XX.XX.90/32 to XXX.XX.XX.90/32;
                }
            }
            pool IP_XXX_92 {
                description "IP XXX Extranet";
                address {
                    XXX.XX.XX.92/32 to XXX.XX.XX.92/32;
                }
            }
          
            rule-set DMZ_TO_WAN-XXX {
                description "DMZ to WAN XXX ";
                from zone [ DMZ LAN ];
                to zone Internet;
                rule Rule_Extranet {
                    description "Extranet NAT src";
                    match {
                        source-address 10.100.45.2/32;
                    }
                    then {
                        source-nat {
                            pool {
                                IP_XXX_92;
                            }
                        }
                    }
                }
            }
            rule-set LAN_TO_WAN-XXX {
                description "LAN to WAN XXX";
                from zone LAN;
                to zone Internet;
                rule Rule_LAN {
                    description "LAN NAT src";
                    match {
                        source-address 10.1.0.0/16;
                    }
                    then {
                        source-nat {
                            pool {
                                IP_XXX_90;
                            }
                        }
                    }
                }
            }
        
        destination {
            
            pool EXT-srv_any {
                address 10.100.45.2/32;
            }
           
            rule-set NAT-dst_WAN-XXX {
                description "NAT IP WAN XXX to expose server ";
                from zone Internet;
                
                rule Extranet-http {
                    description "Access Extranet server http";
                    match {
                        destination-address XXX.XX.XX.92/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat {
                            pool {
                                EXT-srv_any;
                            }
                        }
                    }
                }
                rule Extranet-https {
                    description "Access Extranet server https";
                    match {
                        destination-address XXX.XX.XX.92/32;
                        destination-port 443;
                    }
                    then {
                        destination-nat {
                            pool {
                                EXT-srv_any;
                            }
                        }
                    }
                }
                rule Extranet-ping {
                    description "Access Extranet server ping";
                    match {
                        destination-address XXX.XX.XX.92/32;
                        protocol icmp;
                    }
                    then {
                        destination-nat {
                            pool {
                                EXT-srv_any;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    XXX.XX.XX.91/32 to XXX.XX.XX.91/32;
                    XXX.XX.XX.92/32 to XXX.XX.XX.92/32;
                    XXX.XX.XX.93/32 to XXX.XX.XX.93/32;
                    XXX.XX.XX.94/32 to XXX.XX.XX.94/32;
                }
            }
        }
    }

[...]

zones {

        security-zone DMZ {
            description "DMZ Trimaran";
            interfaces {
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
            application-tracking;
        }
        security-zone Internet {
            description "WAN XXX";
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
            application-tracking;
        }
        security-zone junos-host;
    }

    Tkanks for KB article, i will read that 🙂

     

    Best regards.

    Charlie

     



  • 4.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-27-2016 06:23

    Hello,

     

    I checked this link https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785&actp=search and now i have more details for this problem :

    >show security nat proxy-arp
interface ge-0/0/0.0 {
    address {
        XXX.XX.XX.91/32;
        XXX.XX.XX.93/32;
        XXX.XX.XX.94/32;
        XXX.XX.XX.92/32;
    }
}

    But i can't ping these IP from firewall : 

    > ping XXX.XX.XX.92
PING  XXX.XX.XX.92 ( XXX.XX.XX.92): 56 data bytes
ping: sendto: Can't assign requested address
ping: sendto: Can't assign requested address

    When i checked route : 

    > run show route XXX.XX.XX.92 extensive

inet.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden)
XXX.XX.XX.92/32 (1 entry, 1 announced)
TSI:
KRT in-kernel XXX.XX.XX.92/32 -> {}
        *Static Preference: 1
                Next hop type: Receive
                Address: 0x1175190
                Next-hop reference count: 12
                State: <Active Int ProxyArp>
                Age: 26:04
                Task: RPD Unix Domain Server./var/run/rpd_serv.local
                Announcement bits (2): 0-KRT 2-Resolve tree 1
                AS path: I

    This is very strange... SRX don't see these IP.

    Have you an idea ? 

     

    Thank your for your help.

    Best regards.

    Charlie.



  • 5.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-27-2016 08:17

    Hi,

     

    Are you able to ping that IP address from the next-hop ?

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 6.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-27-2016 08:31

    Hi !

     

    Yes i can ping IPs (in proxy-arp) from Internet.

     

    Thanks.

    Charlie



  • 7.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-27-2016 08:45

    Hi,

     

    Those IP addresses are in the same /29 range as on the SRX interface.

     

    I believe that is the reason you are not able to ping them from the SRX itself.

     

    This should not impact on any access to those IPs from the internet.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 8.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-27-2016 08:59

    Hi,

     

    Thank you for your answer.

    So if we have untrust interface IP with same subnet of proxy-arp IPs,  we can't ping these ?

    I use proxy-arp for use multiple public IP and for some reason we must access with public IP to DMZ server...

     

     

    I had another alternative to reach these IP using spare network on ge0/0/1, but if i force static routing with next-hop (spare router IP) i can't ping IP these IPs. However if i ping IP from next-hop spare i reach proxy-arp IP....

     

    Have you an idea to ping these public ip ? 

     

    Thank you.

    Best regards.

     

     



  • 9.  RE: No ping Proxy-ARP from LAN/DMZ
    Best Answer

    Posted 07-27-2016 10:10

    Hi,

     

    Is the requirement to host DMZ Servers on these public IP addresses ?

     

    If yes, you can use destination NAT on the SRX to achieve this.

    http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-destination-address-port-translation-configuring.html

     

    Let me know if this helps with the requirement.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 10.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-28-2016 00:55

    Hi sahilsha !

     

    Thank you !! It is working 🙂 

    I added dst-NAT from LAN with Destination NAT if public IP match.

     

    Best regards.

    Charlie.



  • 11.  RE: No ping Proxy-ARP from LAN/DMZ

    Posted 07-28-2016 02:47

    Charlie,

     

    Thanks for the update.

     

    It is good to know that the issue has been resolved and I was of help to you.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.