SRX

Please help. I need NAT into 46.23.153.177 from 192.168.2.0. My configuration is not working.

Firewall and icmp to 30.0.0.0/8 not working too. 

## Last changed: 2012-07-11 08:49:20 GMT+7
version 10.4R6.5;
system {
host-name BRN;
domain-name local.ru;
time-zone GMT+7;
root-authentication {
 encrypted-password "$1czxcasdafa/";
}
name-server {
78.109.128.2;
30.0.0.10;
30.0.0.19;
}
login {
user admin {
uid 2000;
class super-user;
authentication {
 encrypted-password "$1$Jfadafadfa/";
}
}
}
services {
ssh {
root-login allow;
protocol-version [ v1 v2 ];
}
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/0.0 ge-0/0/1.0 fe-0/0/2.0 pp0.0 ];
}
https {
system-generated-certificate;
}
session {
session-limit 7;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
description -=Scary.Internet=-;
unit 0 {
family inet {
address 46.23.153.117/24;
}
}
}
ge-0/0/1 {
description -=Vlan.10=-;
unit 0 {
family inet {
filter {
input VLAN_A;
}
address 30.0.0.5/8;
}
}
}
fe-0/0/2 {
description -=Vlan.20=-;
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
fe-0/0/3 {
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/4 {
disable;
}
fe-0/0/5 {
disable;
}
fe-0/0/6 {
disable;
}
fe-0/0/7 {
disable;
}
pp0 {
unit 0 {
ppp-options {
pap {
local-name "26368_1@all";
 local-password "$9$fadfadfafsa3n";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/3.0;
client;
}
family inet {
mtu 1452;
negotiate-address;
}
}
}
st0 {
unit 0 {
family inet {
address 10.0.0.2/24;
}
}
}
}
snmp {
community public {
authorization read-only;
clients {
30.0.0.254/32;
0.0.0.0/0 restrict;
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 46.23.153.118;
metric 1;
}
route 10.1.1.0/24 next-hop st0.0;
route 192.168.1.0/24 next-hop st0.0;
route 50.0.0.0/8 next-hop 30.0.0.4;
route 192.168.0.0/24 next-hop st0.0;
route 4.2.2.2/32 next-hop pp0.0;
route 212.94.104.6/32 next-hop pp0.0;
route 194.143.138.138/32 next-hop pp0.0;
}
}
protocols {
stp;
}
security {
ike {
traceoptions {
flag ike;
flag policy-manager;
flag routing-socket;
}
policy VPN_POL {
mode main;
proposal-set standard;
 pre-shared-key ascii-text "$adasfasfsddsfac";
}
gateway gw1 {
ike-policy VPN_POL;
address 195.239.193.94;
external-interface ge-0/0/0;
}
}
ipsec {
policy VPN_IPSEC_POL {
proposal-set standard;
}
vpn VPN {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy VPN_IPSEC_POL;
}
establish-tunnels immediately;
}
}
nat {
traceoptions {
file NAT;
flag source-nat-pfe;
flag source-nat-re;
flag source-nat-rt;
}
source {
rule-set NAT {
from interface fe-0/0/2.0;
to interface ge-0/0/0.0;
rule NAT {
match {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address VLAN_A 30.0.0.0/8;
address VLAN_B 192.168.2.0/24;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
pp0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
fe-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone vpn {
address-book {
address RVLAN_A 10.1.1.0/24;
address RVLAN_B 192.168.1.0/24;
address RVLAN_C 192.168.0.0/24;
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone untrust to-zone trust {
policy ANY-PERMIT {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy VPN_TO_VPN {
match {
source-address [ VLAN_A VLAN_B ];
destination-address [ RVLAN_A RVLAN_B RVLAN_C ];
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy VPN_VPN_TR {
match {
source-address [ RVLAN_A RVLAN_B RVLAN_C ];
destination-address [ VLAN_A VLAN_B ];
application any;
}
then {
permit;
}
}
}
}
}
firewall {
filter VLAN_A {
term 1 {
from {
source-address {
30.0.0.0/8;
}
destination-address {
10.1.1.0/24;
192.168.0.0/24;
192.168.1.0/24;
192.168.2.0/24;
10.0.0.0/30;
11.0.0.0/30;
}
}
then {
log;
syslog;
accept;
}
}
}
} 

HI,

    I assume there is a typo in the first line where you mentioned you wanted to NAT "46.23.153.177 from 192.168.2.0". I assume you wanted to NAT to 46.23.153.117. If this is not a typo, then the configuration has to be changed:

source {
rule-set NAT {
from interface fe-0/0/2.0;
to interface ge-0/0/0.0;  <<<ge-0/0/0 IP is .117 not .177
rule NAT {
match {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}

You can also try using the zones in the from and to context. You can say "from zone trust, to zone untrust".

Also keep in mind that only the packets with source address 192.168.2.0/24 subnet will be NAT'ed. If there are other source  address, they won't be NAT'ed. 

Also, what do you mean by not working? Configure the flow traceoptions and attach them to this forum. Is the NAT not working for specific clients or all the clients in that subnet?

Thanks,
Rakesh 

Sorry, I have a typo. I need NAT from 192.168.2.0/24 into 46.23.153.117.

Command "show security flow session source-prefix 192.168.2.1" say:

Session ID: 34867, Policy name: self-traffic-policy/1, Timeout: 36, Valid
In: 192.168.2.1/0 --> 8.8.8.8/11641;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11641 --> 192.168.2.1/0;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

Session ID: 35099, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.2.1/1 --> 8.8.8.8/11641;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11641 --> 192.168.2.1/1;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 2

Command " show security nat source rule all" say:

source NAT rule: 1 Rule-set: NAT_RS1
Rule-Id : 2
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.2.0 - 192.168.2.255
Destination addresses : Any - 255.255.255.255
Destination port : 0 - 0
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 1505 

I trued to use zone's to configured NAT, but haven't positive result 😞

The problem is you are initiating traffic from the firewall, then it's not following the nat rules. Try attaching a computer on 192.168.2.0/24 net and do the same, then it should work.

HI,

   IF you look at the session output, it is clear that the security policy used for the session is "self_policy" which means that the traffic is host bound, either initiated from the firewall or destined towards the firewall. 

Session ID: 34867, Policy name: self-traffic-policy/1, Timeout: 36, Valid
In: 192.168.2.1/0 --> 8.8.8.8/11641;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11641 --> 192.168.2.1/0;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

Session ID: 35099, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 192.168.2.1/1 --> 8.8.8.8/11641;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 8.8.8.8/11641 --> 192.168.2.1/1;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 2

When you want to NAT the IPs, make sure that the traffic comes in from the correct zone and leaves out through the correct zone that is defined in the NAT configuration.