SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Port mapping for several IP and ports

    Posted 03-17-2012 06:03

    Hello everybody! )

    At first, I’ll describe my task.

    Device - SRX-100-LM with 10.0R1.8 release  of JunOS.

     

    Networks:

    -LAN with address space 192.168.5.0

    -WAN network from ISP xxx.xxx.19.234/29

    -two internal servers: 192.168.5.104:80 and 192.168.5.130:80

     

    I’d like to make port mapping:

    - xxx.xxx.19.234:80 -> 192.168.5.104:80

    - xxx.xxx.19.234:8081 ->  192.168.5.130:80

     

    Here is a listing of my current Security Nat configuration:

    Spoiler

    security {

        nat {

            source {

                rule-set trust-to-untrust {

                    from zone trust;

                    to zone untrust;

                    rule source-nat-rule {

                        match {

                            source-address 0.0.0.0/0;

                        }

                        then {

                            source-nat {

                                interface;

                            }

                        }

                    }

                }

            }

            destination {

                pool dst-nat-pool-mp80 {

                    address 192.168.5.104/32 port 80;

                }

                rule-set rs-mp80 {

                    from zone untrust;

                    rule r-mp80 {

                        match {

                            destination-address xxx.xxx.19.234/32;

                            destination-port 80;

                        }

                        then {

                            destination-nat pool dst-nat-pool-mp80;

                        }

                    }

                }

            }

        }

     

    So I understand that for this task I have to use Destination NAT. I’ll try to configure my device according to this manual

     

    But when I try to apply this command:

    set security nat proxy-arp interface fe-0/0/0 address xxx.xxx.19.234

     

    device returns message:

    [edit security nat proxy-arp interface fe-0/0/0.0]
    'address xxx.xxx.19.234/32'
    Proxy APsP IP address range [xxx.xxx.19.234 xxx.xxx.19.234] overlaps with interface IP address range [xxx.xxx.19.234 xxx.xxx.19.234] defined on interface ‘fe-0/0/0.0’
    error: configuration check-out failed

     

     

     

    So, please, tell me what's the problem?



  • 2.  RE: Port mapping for several IP and ports

    Posted 03-17-2012 07:08
    I would upgrade to 10.4 R8.5 as a first.

    There's no need for the proxy-arp for the IP already configured on the public interface. Is this ip defined on the external interface?

    Can you post config please.


  • 3.  RE: Port mapping for several IP and ports

    Posted 03-17-2012 07:47

    Thank you for your rapid reply! )

    An error occured when I try to upgrade device, but this item in my todo list.

     

    Yes, IP xxx.xxx.19.234 is defined on external int.

     

    Here it's full configuration:

    Spoiler
     
    History
    Current Configuration

    ## Last changed: 2012-03-14 19:15:45 MSK
    version 10.0R1.8;
    system {
        host-name SRX100;
        time-zone Europe/Moscow;
        root-authentication {
            encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
        }
        name-server {
            xxx.xxx.0.3;
            xxx.xxx.145.6;
        }
        login {
            user 123 {
                uid 100;
                class super-user;
                authentication {
                    encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##
    SECRET-DATA
                }
            }
        }
        services {
            ssh;
            web-management {
                https {
                    system-generated-certificate;
                }
            }
            dhcp {
                name-server {
                    xxx.xxx.0.3;
                    xxx.xxx.145.6;
                }
                router {
                    192.168.5.1;
                }
                pool 192.168.5.0/24 {
                    address-range low 192.168.5.10 high 192.168.5.99;
                }
                propagate-settings fe-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server 85.114.26.194 prefer;
        }
    }
    interfaces {
        interface-range interfaces-trust {
            member fe-0/0/1;
            member fe-0/0/2;
            member fe-0/0/3;
            member fe-0/0/4;
            member fe-0/0/5;
            member fe-0/0/6;
            member fe-0/0/7;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/0 {
            unit 0 {
                family inet {
                    address xxx.xxx.19.234/29;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.5.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop xxx.xxx.19.233;
        }
    }
    security {
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            destination {
                pool dst-nat-pool-mp80 {
                    address 192.168.5.104/32 port 80;
                }
                rule-set rs-mp80 {
                    from zone untrust;
                    rule r-mp80 {
                        match {
                            destination-address xxx.xxx.19.234/32;
                            destination-port 80;
                        }
                        then {
                            destination-nat pool dst-nat-pool-mp80;
                        }
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address MP 192.168.5.104/32;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    fe-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy server-access {
                    match {
                        source-address any;
                        destination-address MP;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     



  • 4.  RE: Port mapping for several IP and ports

    Posted 03-17-2012 08:43
    You do not need to proxy arp for this address then if it's configured. You would only need to for xxx.xxx.xxx.95 for example


  • 5.  RE: Port mapping for several IP and ports

    Posted 03-17-2012 11:11

    You mean that my config is correct and not configured proxy arp is not a reason of my problem? Then please show me the way of troubleshooting.



  • 6.  RE: Port mapping for several IP and ports

    Posted 03-19-2012 05:03

    fe-0/0/0 is your external WAN interface.  You have DHCP running on on this interface?



  • 7.  RE: Port mapping for several IP and ports

    Posted 03-20-2012 01:50

    Hi Dymmon,

     

    Have you run traceoptions to see if translation is happening properly or not. Can you provide output of traceresult to see what is causing issue as configuration is looking just fine and yes there is no need to configure proxy-arp as ip is already configured on Interface, it is only required if you use any other IP from this same pool to make srx respond for these ip addresses.

     

     

    Regards,

    Hassan



  • 8.  RE: Port mapping for several IP and ports
    Best Answer

    Posted 10-11-2012 01:58

    Sorry for the long silence, I could not go back to this issue.


    fe-0/0/0 is your external WAN interface. You have DHCP running on on this interface?
    No, I have static addresses on this int.

     

    Have you run traceoptions to see if translation is happening properly or not...
    Yes, I've run traceoptions. Here's traceresult for one of my effort:

    Spoiler

    Sep 1 16:52:51 SRX100 clear-log[3800]: logfile cleared
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet [52] ipid = 30685, @4088929a
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x40889100
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow_first_create_session
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet dropped: for self but not interested
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet dropped, packet dropped: for self but not interested.
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow find session returns error.
    Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet [52] ipid = 30733, @4089de1a
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x4089dc80
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow_first_create_session
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet dropped: for self but not interested
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet dropped, packet dropped: for self but not interested.
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow find session returns error.
    Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet [52] ipid = 30818, @40879c1a
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x40879a80
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow_first_create_session
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet dropped: for self but not interested
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet dropped, packet dropped: for self but not interested.
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow find session returns error.
    Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

     

    So, my solution of this problem is to make changes in the configuration (DST NAT), and then reboot the device. And it works on multiport\multiaddress Destanation NAT. Guess I need to update the software of my Juniper SRX100.