SRX

last person joined: 10 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Problem with Static Nat

    Posted 09-23-2014 17:16

    I have a set of public static IP's that were all in use pointing to private ip's.  It was all working, or so I thought, before I tried to open a port for a new IP, now only the preferred(primary) IP and one other work. The rest all time out. I have gone through the docs, the troubleshooting and scoured the web for answers. From everything I can tell, it should be working.

     

    I can see that there are translation hits for the ip, but when I try to view the trace logs, I never see the ip showing up.  I'm not sure where it's being dropped. I even tried taking the public ip that I know works and change it to a different internal IP and it failed. I change it back and it works again.

     

    the .178 ip is the primary and that works to get to my firewall and the 182 works to get to one of my internal servers.  The rest all fail. I know there's gotta be something simple I'm missing, but I can't figure it out. I can hit all the ip's internally, but using the external ip's fail. I'm particularly interested in getting the .180 ip to work.

     

    Here's my set up. (note i cut out all the unimportant stuff so the formatting may not be correct and sections are missing)

     

    version 10.4R5.5;
system {
      services {
        ftp;
        ssh;
        web-management {
            traceoptions {
                flag all;
            }
            management-url admin;
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
        }
    }
}
interfaces {
    traceoptions {
        file interfaces.txt size 1m files 5;
        flag config-states;
    }
interface-range interfaces-trust {
        member ge-0/0/1;
        member ge-0/0/3;
        member ge-0/0/4;
        member ge-0/0/5;
        member ge-0/0/6;
        member ge-0/0/7;
        member ge-0/0/8;
        member ge-0/0/9;
        member ge-0/0/10;
        member ge-0/0/11;
        member ge-0/0/12;
        member ge-0/0/13;
        member ge-0/0/14;
        member ge-0/0/15;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        description WAN;
        unit 0 {
            description wan;
            family inet {
                sampling {
                    input;
                    output;
                }
                address ##.###.##.178/28 {
                    preferred;
                }
                address ##.###.##.182/28;
                address ##.###.##.180/28;
                address ##.###.##.181/28;
                address ##.###.##.183/28;
                address ##.###.##.189/28;
                address ##.###.##.190/28;
            }
        }
    }
ge-0/0/2 {
        description DMZ-WLAN;
        unit 0 {
            description DMZ-WLAN-0;
            family inet {
                address 172.16.45.1/32;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.1.1.3/24;
            }
        }
        unit 2 {
            family inet {
                address 172.16.45.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop ##.###.##.177;
    }
}
security {
 nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set nat_rs_internal_service_static {
                from zone untrust;
                rule nat_rule_mx_st {
                    match {
                        destination-address ##.###.##.181/32;
                    }
                    then {
                        static-nat prefix 10.1.1.204/32;
                    }
                }
                rule nat_rule_int_st {
                    match {
                        destination-address ##.###.##.182/32;
                    }
                    then {
                        static-nat prefix 10.1.1.201/32;
                    }
                }
                rule nat_rule_osxserver_st {
                    match {
                        destination-address ##.###.##.180/32;
                    }
                    then {
                        static-nat prefix 10.1.1.225/32;
                    }
                }
                rule nat_rule_iftp_st {
                    match {
                        destination-address ##.###.##.183/32;
                    }
                    then {
                        static-nat prefix 10.1.1.226/32;
                    }
                }
                rule nat_rule_wlan_st {
                    match {
                        destination-address ##.###.##.189/32;
                    }
                    then {
                        static-nat prefix 172.16.45.1/32;
                    }
                }
                rule nat_rule_lh_st {
                    match {
                        destination-address ##.###.##.190/32;
                    }
                    then {
                        static-nat prefix 10.1.1.230/32;
                    }
                }
            }
        }
    }
 zones {
        security-zone trust {
            address-book {
                address internal_server 10.1.1.201/32;
                address internal_iftp 10.1.1.226/32;
                address internal-subnet 10.1.1.0/24;
                address it_workstation 10.1.1.10/32;
                address osxserver 10.1.1.225/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            address-book {
                address WIRELESS-AP ##.###.##.189/32;
                address LOGHOST-DMZ ##.###.##.190/32;
            }
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy it_workstation {
                match {
                    source-address it_workstation;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            inactive: policy web-filter {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        application-services {
                            utm-policy web-filter;
                        }
                    }
                    count;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy internal_iftp_server {
                match {
                    source-address any;
                    destination-address internal_iftp;
                    application junos-ftp;
                }
                then {
                    permit;
                    count;
                }
            }
            policy internal_server {
                match {
                    source-address any;
                    destination-address internal_server;
                    application [ junos-http junos-https junos-dns-udp junos-dns-tcp];
                }
                then {
                    permit;
                }
            }
            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
            policy internal_osx_server {
                match {
                    source-address any;
                    destination-address osxserver;
                    application [ junos-http junos-https junos-dns-udp junos-dns-tcp junos-gre junos-pptp ];
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }
        }
        from-zone trust to-zone trust {
            policy internal-subnet-trust {
                match {
                    source-address internal-subnet;
                    destination-address internal-subnet;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    flow {
        traceoptions {
            file flow-trace;
            flag basic-datapath;
            packet-filter f0 {
                destination-prefix 10.1.1.0/32;
            }
            packet-filter filter1 {
                source-prefix 172.16.22.10/32;
                destination-prefix 10.1.1.0/24;
            }
            packet-filter filter2 {
                source-prefix 10.1.1.0/24;
                destination-prefix 172.16.22.10/32;
            }
        }
    }

firewall {
    family inet {
        filter icmp-filter {
            term 1 {
                from {
                    source-address {
                        ##.##.##.180/32;
                    }
                    destination-address {
                        10.1.1.225/32;
                    }
                    protocol icmp;
                }
                then {
                    count icmp-counter;
                    accept;
                }
            }
            term default {
                then accept;
            }
        }
    }
}

     

     

    thanks for any advice you can give.



  • 2.  RE: Problem with Static Nat

    Posted 09-24-2014 06:10

    Hi tbgadmin,

     

        ge-0/0/0 {
            description WAN;
            unit 0 {
                description wan;
                family inet {
                    sampling {
                        input;
                        output;
                    }
                    address ##.###.##.178/28 {
                        preferred;
                    }
                    address ##.###.##.182/28;
                    address ##.###.##.180/28;
                    address ##.###.##.181/28;
                    address ##.###.##.183/28;
                    address ##.###.##.189/28;
                    address ##.###.##.190/28;
                }
            }
        }

     

    Instead of configuring multiple ip addresses to the same interface ge-0/0/0 interface , try removing these ip addresses from the ge-0/0/0

     

                    address ##.###.##.182/28;
                    address ##.###.##.180/28;
                    address ##.###.##.181/28;
                    address ##.###.##.183/28;
                    address ##.###.##.189/28;
                    address ##.###.##.190/28;

     

    Then configure proxy ARP for those ip addresses for ge-0/0/0 interface as given below

     

    1. # show security nat proxy-arp
    interface ge-0/0/0.0 {
    address {
        .180/32;
    }
}


     

     

    Then check the connectivity for .180 server.

     

    I need outpit for  the cli command:

     

    show security flow session destination-prefix x.x.x.180

     


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     



  • 3.  RE: Problem with Static Nat

    Posted 09-24-2014 13:58

    I did as you suggested, but still not go.  

     

    show security flow session destination-prefix x.x.x.180

    Total sessions: 0

     

     



  • 4.  RE: Problem with Static Nat

    Posted 09-25-2014 04:06

    Hi ,


    Configure flow traceoptions and try attempting to connect and share the flow trace file.

     

    set security flow traceoptions file flow-trace
    set security flow traceoptions file files 5
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter ff1 source-prefix  x.x.x.x. destination-prefix  y.y.y.180

     

    set security flow traceoptions packet-filter ff2 source-prefix private ip destination-prefix x.x.x,x

     


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 5.  RE: Problem with Static Nat

    Posted 09-25-2014 08:15

    root@junebug> show log flow-trace | last 50 

    Sep 25 08:09:50 08:09:48.1842485:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/0.0

     

    Sep 25 08:09:50 08:09:48.1842485:CID-0:RT:  ge-0/0/0.0:yy.yyy.yyy.yyy/55039->xx.xxx.xx.180/80, tcp, flag 2 syn

     

    Sep 25 08:09:50 08:09:48.1842485:CID-0:RT: find flow: table 0x4a934a38, hash 50358(0xffff), sa yy.yyy.yyy.yyy, da xx.xxx.xx.180, sp 55039, dp 80, proto 6, tok 7

     

    Sep 25 08:09:50 08:09:48.1842485:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

     

    Sep 25 08:09:50 08:09:48.1842485:CID-0:RT:self ip check: not for self (address=46a531b4)

     

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  flow_first_create_session

     

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr xx.xxx.xx.180, sp 55039, dp 80

     

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.

     

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:flow_first_rule_dst_xlate: packet yy.yyy.yyy.yyy->xx.xxx.xx.180 nsp2 0.0.0.0->10.1.1.225.

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip yy.yyy.yyy.yyy, x_dst_ip 10.1.1.225, in ifp ge-0/0/0.0, out ifp N/A sp 55039, dp 80, ip_proto 6, tos 0

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:Doing DESTINATION addr route-lookup

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  routed (x_dst_ip 10.1.1.225) from untrust (ge-0/0/0.0 in 0) to vlan.0, Next-hop: 10.1.1.225

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  policy search from zone untrust-> zone trust (0x114,0xd6ff0050,0x50)

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  app 6, timeout 1800s, curr ageout 20s

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT:  flow find session returns error.

                                            

    Sep 25 08:09:50 08:09:48.1842781:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)



  • 6.  RE: Problem with Static Nat
    Best Answer

    Posted 09-26-2014 04:41

    Hi tbgadmin,

     

    I have identified the problem

    Please move the policy internal_osx_server above policy dyn-vpn-policy  under untrust to trust zone.


    edit security policies from-zone untrust to-zone trust

    Insert policy internal_osx_server before policy dyn-vpn-policy

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

     

            from-zone untrust to-zone trust {
                }
                policy dyn-vpn-policy {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn dyn-vpn;
                            }
                        }
                    }
                }
                policy internal_osx_server {
                    match {
                        source-address any;
                        destination-address osxserver;
                        application [ junos-http junos-https junos-dns-udp junos-dns-tcp junos-gre junos-pptp ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 7.  RE: Problem with Static Nat

    Posted 09-26-2014 16:18

    I wish I could say that helped.  This is what my policy looks like now.

    root@junebug> show configuration security policies from-zone untrust to-zone trust
policy internal_iftp_server {
    match {
        source-address any;
        destination-address internal_iftp;
        application [ junos-ftp junos-http junos-https ];
    }
    then {
        permit;
        count;
    }
}
policy internal_server {
    match {
        source-address any;
        destination-address internal_server;
        application [ junos-http junos-https junos-dns-udp junos-dns-tcp DOTLOT_CAM ];
    }
    then {
        permit;
    }
}
policy internal_osx_server {
    match {
        source-address any;
        destination-address osxserver;
        application any;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}
policy dyn-vpn-policy {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn dyn-vpn;
            }
        }
    }
}

     

     

    I am still unable to access the server and the flow-trace just shows
    Sep 26 16:13:11 16:13:10.1738475:CID-0:RT:SPU invalid session id 00000000

     

    I really appreciate all your help trying to help me solve this btw. 



  • 8.  RE: Problem with Static Nat

    Posted 09-27-2014 00:37

    Hi tbgadmin,

     

    From the flow trace , it looks like either flow traceoptions packet filter is wrongly configured or packets is not hitting the SRX>

     

    Verify it and get us the flow trace file.

     

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 9.  RE: Problem with Static Nat

    Posted 09-27-2014 13:04 
    Sep 27 12:54:55 12:54:54.1513270:CID-0:RT:Installing s2c NP session wing
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT:  flow got session.
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT:  flow session id 130908
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT: vector bits 0x2 vector 0x45153f68
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT:  tcp flags 0x2, flag 0x2
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT:  Got syn, 10.1.1.182(52020)->xx.xxx.xx.180(80), nspflag 0x1021, 0x20
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT:mbuf 0x42380200, exit nh 0xfffa0006
 
Sep 27 12:54:56 12:54:54.1513270:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
 
Sep 27 12:54:56 12:54:54.1759436:CID-0:RT:<10.1.1.182/52021->70.165.49.180/80;6> matched filter ff1:
 
Sep 27 12:54:56 12:54:54.1759436:CID-0:RT:packet [64] ipid = 42249, @4236eb9c
 
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 13, common flag 0x0, mbuf 0x4236e980, rtbl_idx = 0
 
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT: flow process pak fast ifl 69 in_ifp vlan.0
 
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:  vlan.0:10.1.1.182/52021->xx.xxx.xx.180/80, tcp, flag 2 syn
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT: find flow: table 0x4a934a38, hash 10205(0xffff), sa 10.1.1.182, da xx.xxx.xx.180, sp 52021, dp 80, proto 6, tok 6
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:self ip check: not for self (address=46a531b4)
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:  flow_first_create_session
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:  flow_first_in_dst_nat: in <vlan.0>, out <N/A> dst_adr xx.xxx.xx.180, sp 52021, dp 80
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:  chose interface vlan.0 as incoming nat if.
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to xx.xxx.xx.180(80)
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.1.1.182, x_dst_ip xx.xxx.xx.180, in ifp vlan.0, out ifp N/A sp 52021, dp 80, ip_proto 6, tos 0
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:Doing DESTINATION addr route-lookup
                                        
Sep 27 12:54:56 12:54:54.1759589:CID-0:RT:Failed to get real out-ifp for .local..0, dst:xx.xxx.xx.180, in vr_id: 0
                                        
Sep 27 12:54:56 12:54:54.1760090:CID-0:RT:  routed (x_dst_ip xx.xxx.xx.180) from trust (vlan.0 in 0) to .local..0, Next-hop: xx.xxx.xx.180
                                        
Sep 27 12:54:56 12:54:54.1760090:CID-0:RT:  policy search from zone trust-> zone junos-self (0x0,0xcb350050,0x50)
                                        
Sep 27 12:54:56 12:54:54.1760090:CID-0:RT:  app 6, timeout 1800s, curr ageout 20s
                                        
Sep 27 12:54:56 12:54:54.1760090:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  dip id = 0/0, 10.1.1.182/52021->10.1.1.182/52021
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  choose interface .local..0 as outgoing phy if
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:is_loop_pak: No loop: on ifp: .local..0, addr: xx.xxx.xx.180, rtt_idx:0
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:jsf sess interest check. regd plugins 13
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: Allocating plugin info block for 12 plugin(s) from OL
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  1, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x2. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id 10, svc_req 0x0. rc 4
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 2
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: No JSF plugins enabled for session
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: Releasing plugin info block for 12 plugin(s) to OL
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  service lookup identified service 6.
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  flow_first_final_check: in <vlan.0>, out <.local..0>
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:construct v4 vector for nsp2
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  existing vector list 2-45153f68.
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  Session (id:126212) created for first pak 2
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  flow_first_install_session======> 0x4f7f7220
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: nsp 0x4f7f7220, nsp2 0x4f7f7284
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  make_nsp_ready_no_resolve()
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  route lookup: dest-ip 10.1.1.182 orig ifp vlan.0 output_ifp vlan.0 orig-zone 6 out-zone 6 vsd 0
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  route to 10.1.1.182
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:Installing c2s NP session wing
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:Installing s2c NP session wing
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  flow got session.
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  flow session id 126212
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: vector bits 0x2 vector 0x45153f68
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  tcp flags 0x2, flag 0x2
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:  Got syn, 10.1.1.182(52021)->xx.xxx.xx.180(80), nspflag 0x1021, 0x20
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT:mbuf 0x4236e980, exit nh 0xfffa0006
                                        
Sep 27 12:54:56 12:54:54.1760592:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

     

     

    So this flow trace looks like it's having trouble routing internally using the external IP.  Which I guess isn't a big deal. I seems like I can hit the ip from externally, which is what I really need.  It's odd that I can use the external IP for another server and access it internally, but this one I can't.  If you see something in this log that would help with that, let me know, otherwise, you have fixed my main problem.  Thanks agian!!



  • 10.  RE: Problem with Static Nat

    Posted 09-27-2014 22:30
    Edited by Jodi Meier 02-09-2024 16:49

    Hi tbgadmin,

     

    Good to know that your issue has been resolved.

     

    Thanks for the update.

     

    From inside network , to access the server using public ip address, follow anyone of these KB articles .

     https://supportportal.juniper.net/s/article/SRX-How-to-set-up-NAT-hairpinning
    https://supportportal.juniper.net/s/article/Accessing-a-Static-NAT-from-inside-your-network?language=en_US

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

    Moderator note: Edited Feb 9, 2024, to update KB links.