SRX Services Gateway
Reply
Visitor
dymmon@gmail.com
Posts: 4
Registered: ‎06-16-2011
0
Accepted Solution

Port mapping for several IP and ports

Hello everybody! )

At first, I’ll describe my task.

Device - SRX-100-LM with 10.0R1.8 release  of JunOS.

 

Networks:

-LAN with address space 192.168.5.0

-WAN network from ISP xxx.xxx.19.234/29

-two internal servers: 192.168.5.104:80 and 192.168.5.130:80

 

I’d like to make port mapping:

- xxx.xxx.19.234:80 -> 192.168.5.104:80

- xxx.xxx.19.234:8081 ->  192.168.5.130:80

 

Here is a listing of my current Security Nat configuration:

Spoiler

security {

    nat {

        source {

            rule-set trust-to-untrust {

                from zone trust;

                to zone untrust;

                rule source-nat-rule {

                    match {

                        source-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

        destination {

            pool dst-nat-pool-mp80 {

                address 192.168.5.104/32 port 80;

            }

            rule-set rs-mp80 {

                from zone untrust;

                rule r-mp80 {

                    match {

                        destination-address xxx.xxx.19.234/32;

                        destination-port 80;

                    }

                    then {

                        destination-nat pool dst-nat-pool-mp80;

                    }

                }

            }

        }

    }

 

So I understand that for this task I have to use Destination NAT. I’ll try to configure my device according to this manual

 

But when I try to apply this command:

set security nat proxy-arp interface fe-0/0/0 address xxx.xxx.19.234

 

device returns message:

[edit security nat proxy-arp interface fe-0/0/0.0]
'address xxx.xxx.19.234/32'
Proxy APsP IP address range [xxx.xxx.19.234 xxx.xxx.19.234] overlaps with interface IP address range [xxx.xxx.19.234 xxx.xxx.19.234] defined on interface ‘fe-0/0/0.0’
error: configuration check-out failed

 

 

 

So, please, tell me what's the problem?

Distinguished Expert
MMcD
Posts: 629
Registered: ‎07-20-2010
0

Re: Port mapping for several IP and ports

I would upgrade to 10.4 R8.5 as a first.

There's no need for the proxy-arp for the IP already configured on the public interface. Is this ip defined on the external interface?

Can you post config please.
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
dymmon@gmail.com
Posts: 4
Registered: ‎06-16-2011
0

Re: Port mapping for several IP and ports

[ Edited ]

Thank you for your rapid reply! )

An error occured when I try to upgrade device, but this item in my todo list.

 

Yes, IP xxx.xxx.19.234 is defined on external int.

 

Here it's full configuration:

Spoiler
 
History
Current Configuration

## Last changed: 2012-03-14 19:15:45 MSK
version 10.0R1.8;
system {
    host-name SRX100;
    time-zone Europe/Moscow;
    root-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
    name-server {
        xxx.xxx.0.3;
        xxx.xxx.145.6;
    }
    login {
        user 123 {
            uid 100;
            class super-user;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##
SECRET-DATA
            }
        }
    }
    services {
        ssh;
        web-management {
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            name-server {
                xxx.xxx.0.3;
                xxx.xxx.145.6;
            }
            router {
                192.168.5.1;
            }
            pool 192.168.5.0/24 {
                address-range low 192.168.5.10 high 192.168.5.99;
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 85.114.26.194 prefer;
    }
}
interfaces {
    interface-range interfaces-trust {
        member fe-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/0 {
        unit 0 {
            family inet {
                address xxx.xxx.19.234/29;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop xxx.xxx.19.233;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dst-nat-pool-mp80 {
                address 192.168.5.104/32 port 80;
            }
            rule-set rs-mp80 {
                from zone untrust;
                rule r-mp80 {
                    match {
                        destination-address xxx.xxx.19.234/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool dst-nat-pool-mp80;
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address MP 192.168.5.104/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy server-access {
                match {
                    source-address any;
                    destination-address MP;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

 

Distinguished Expert
MMcD
Posts: 629
Registered: ‎07-20-2010
0

Re: Port mapping for several IP and ports

You do not need to proxy arp for this address then if it's configured. You would only need to for xxx.xxx.xxx.95 for example
MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
dymmon@gmail.com
Posts: 4
Registered: ‎06-16-2011
0

Re: Port mapping for several IP and ports

You mean that my config is correct and not configured proxy arp is not a reason of my problem? Then please show me the way of troubleshooting.

Distinguished Expert
MMcD
Posts: 629
Registered: ‎07-20-2010
0

Re: Port mapping for several IP and ports

fe-0/0/0 is your external WAN interface.  You have DHCP running on on this interface?

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
hmehmood
Posts: 33
Registered: ‎08-26-2011
0

Re: Port mapping for several IP and ports

Hi Dymmon,

 

Have you run traceoptions to see if translation is happening properly or not. Can you provide output of traceresult to see what is causing issue as configuration is looking just fine and yes there is no need to configure proxy-arp as ip is already configured on Interface, it is only required if you use any other IP from this same pool to make srx respond for these ip addresses.

 

 

Regards,

Hassan

Visitor
dymmon@gmail.com
Posts: 4
Registered: ‎06-16-2011
0

Re: Port mapping for several IP and ports

[ Edited ]

Sorry for the long silence, I could not go back to this issue.


fe-0/0/0 is your external WAN interface. You have DHCP running on on this interface?
No, I have static addresses on this int.

 

Have you run traceoptions to see if translation is happening properly or not...
Yes, I've run traceoptions. Here's traceresult for one of my effort:

Spoiler

Sep 1 16:52:51 SRX100 clear-log[3800]: logfile cleared
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet [52] ipid = 30685, @4088929a
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x40889100
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow_first_create_session
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet dropped: for self but not interested
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: packet dropped, packet dropped: for self but not interested.
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: flow find session returns error.
Sep 1 16:53:48 16:53:47.1145228:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet [52] ipid = 30733, @4089de1a
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x4089dc80
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow_first_create_session
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet dropped: for self but not interested
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: packet dropped, packet dropped: for self but not interested.
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: flow find session returns error.
Sep 1 16:53:51 16:53:50.1057965:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:<176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422;6> matched filter 1:
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet [52] ipid = 30818, @40879c1a
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x40879a80
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow process pak fast ifl 69 in_ifp fe-0/0/0.0
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: fe-0/0/0.0:176.xx.xx.xxx/1874->2xx.xxx.xxx.xxx/6422, tcp, flag 2 syn
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: find flow: table 0x428fef10, hash 61480(0xffff), sa 176.xx.xx.xxx, da 2xx.xxx.xxx.xxx, sp 1874, dp 6422, proto 6, tok 448
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow_first_create_session
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 2xx.xxx.xxx.xxx, sp 1874, dp 6422
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: chose interface fe-0/0/0.0 as incoming nat if.
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet dropped: for self but not interested
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: packet dropped, packet dropped: for self but not interested.
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: flow find session returns error.
Sep 1 16:53:57 16:53:56.1092753:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 

So, my solution of this problem is to make changes in the configuration (DST NAT), and then reboot the device. And it works on multiport\multiaddress Destanation NAT. Guess I need to update the software of my Juniper SRX100.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.