SRX

Hi!

I'm having some issues on forwarding some ports to my internal network.

Destination NAT

set security nat destination pool active-sync_tf routing-instance default
set security nat destination pool active-sync_tf address 192.168.8.13/32
set security nat destination pool active-sync_tf address port 443
set security nat destination pool sophos_transfair address 192.168.8.9/32
set security nat destination pool sophos_transfair address port 443

set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule active-sync_tf match destination-address 86.103.130.XX/32
set security nat destination rule-set dst-nat rule active-sync_tf match destination-port 443
set security nat destination rule-set dst-nat rule active-sync_tf then destination-nat pool active-sync_tf

set security nat destination rule-set dst-nat rule sophos_transfair match destination-address 86.103.130.YY/32
set security nat destination rule-set dst-nat rule sophos_transfair match destination-port 443
set security nat destination rule-set dst-nat rule sophos_transfair then destination-nat pool sophos_transfair

Policy (it's the only policy from untrust to transfair):

From zone: untrust, To zone: transfair
  Policy: 614, State: enabled, Index: 104, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: server_exchange, server_09
    Applications: junos-https
    Action: permit, log

Where "server_exchange" is 192.168.8.13/32 and "server_09" is 192.168.8.9/32.

I don't know why this isn't working. 

Hello ,

Can you check the hits on the Destination NAT rules :

>show security nat destination rule <rule name >

Hello ,

Also Can you try using Static NAT since its one to one NAT translation with Same port . 

Hi Sam!

"show security nat destination rule active-sync_tf" shows no translation hits.

I have to say that this is a chassis cluster (f this is important) and the cluster is not active at this time (it has been yesterday for about half an hour - than I had to switch back to my old ssg520).

I will give it a try with the static NAT.

I will let you know the result. Thank you for your input!

Thanks,

Andy

Hello ,

Thanks for the update . Please collect the same output when using Static NAT also . Also Please share the Configuration .

make sure that the traffic is hitting the firewall .

Also please make sure to add porxy ID configuration if the external interface IP and the NAT IP are in same subnet .

Is the IP on your untrust interface in the same subnet as your public NAT IPs? (ie is it in 86.103.130.zz?) If so you will need to configure proxy arp for your public NAT IPs on your untrust interface

Did you also create a security policy to permit the traffic to the server?

One of the differences between ScreenOS and SRX is that nat policy is separate from security policy.  so you need both a security policy to permit the traffic along with the nat translation.

As mentioned by KJMurphy, if this is a different address from the interface in the same subnet then proxy arp configuration is required.  If this is a routed subnet or the same as the interface this will not be needed.

Static nat is only needed if you require the outbound traffic from the mail server (typically smtp) to also have this same nat address.  When you use this option the address cannot be used for any other server.  This is the same as a MIP in ScreenOS.

If this is a pure MS CAS server role for client inbound connections, you will not need static nat only the destination you are setting up.

Hi Steve!

Here's what my new config looks like:

static-NAT:

set security nat static rule-set static-dst-nat from zone untrust
set security nat static rule-set static-dst-nat rule active_sync_tf match destination-address 86.103.130.70/32
set security nat static rule-set static-dst-nat rule active_sync_tf match destination-port 443
set security nat static rule-set static-dst-nat rule active_sync_tf then static-nat prefix 192.168.8.13/32
set security nat static rule-set static-dst-nat rule active_sync_tf then static-nat prefix mapped-port 443

set security nat static rule-set static-dst-nat rule sophos_tf match destination-address 86.103.130.73/32
set security nat static rule-set static-dst-nat rule sophos_tf match destination-port 443
set security nat static rule-set static-dst-nat rule sophos_tf then static-nat prefix 192.168.8.9/32
set security nat static rule-set static-dst-nat rule sophos_tf then static-nat prefix mapped-port 443

Matching policies:

set security policies from-zone untrust to-zone transfair policy 614 description mobil.tfkiel.de
set security policies from-zone untrust to-zone transfair policy 614 match source-address any
set security policies from-zone untrust to-zone transfair policy 614 match destination-address server_exchange
set security policies from-zone untrust to-zone transfair policy 614 match destination-address server_09
set security policies from-zone untrust to-zone transfair policy 614 match application junos-https
set security policies from-zone untrust to-zone transfair policy 614 then permit
set security policies from-zone untrust to-zone transfair policy 614 then log session-init

Did I oversee something or is can I give this config a try?

Thanks ins advance!

Andy

The configurations look good. 

But if these addresses are in the same subnet as your external interface you also need to have proxy arp enabled.  If they are routed to you then this is not necessary.

proxy-arp {
        interface ge-0/0/0.0 {
              address {
                      86.103.130.70/32;
                      86.103.130.73/32;
        }
    }
}

See a full example on bottom of page 13 here.

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/TN8_3500151-en.pdf

Oh my! I read a similar article on tunnesup.com (NAT in juniper srx), but I totally skipped this proxy arp part!

These addresses are indeed in the same subnet. That has to be the solution!

On my ssg520 this was not necessary. 

I will test this as soon as I can and post the results.

Thanks so much so far for your input!

Hi Steve!

Here's my config for the proxy arp:

set security nat proxy-arp interface reth0.1 address 86.103.130.69/32
set security nat proxy-arp interface reth0.1 address 86.103.130.70/32
set security nat proxy-arp interface reth0.1 address 86.103.130.71/32
set security nat proxy-arp interface reth0.1 address 86.103.130.72/32
set security nat proxy-arp interface reth0.1 address 86.103.130.73/32
set security nat proxy-arp interface reth0.1 address 86.103.130.74/32
set security nat proxy-arp interface reth0.1 address 86.103.130.75/32

and the static NAT config:

set security nat static rule-set static-dst-nat from zone untrust
set security nat static rule-set static-dst-nat rule active_sync_kisk match destination-address 86.103.130.69/32
set security nat static rule-set static-dst-nat rule active_sync_kisk match destination-port 443
set security nat static rule-set static-dst-nat rule active_sync_kisk then static-nat prefix 192.168.20.30/32
set security nat static rule-set static-dst-nat rule active_sync_kisk then static-nat prefix mapped-port 443
set security nat static rule-set static-dst-nat rule mail match destination-address 86.103.130.70/32
set security nat static rule-set static-dst-nat rule mail match destination-port 25
set security nat static rule-set static-dst-nat rule mail then static-nat prefix 192.168.255.5/32
set security nat static rule-set static-dst-nat rule mail then static-nat prefix mapped-port 25
set security nat static rule-set static-dst-nat rule active_sync_tf match destination-address 86.103.130.70/32
set security nat static rule-set static-dst-nat rule active_sync_tf match destination-port 443
set security nat static rule-set static-dst-nat rule active_sync_tf then static-nat prefix 192.168.8.13/32
set security nat static rule-set static-dst-nat rule active_sync_tf then static-nat prefix mapped-port 443
set security nat static rule-set static-dst-nat rule mail_oh match destination-address 86.103.130.71/32
set security nat static rule-set static-dst-nat rule mail_oh match destination-port 25
set security nat static rule-set static-dst-nat rule mail_oh then static-nat prefix 192.168.255.12/32
set security nat static rule-set static-dst-nat rule mail_oh then static-nat prefix mapped-port 25
set security nat static rule-set static-dst-nat rule active_sync_oh match destination-address 86.103.130.71/32
set security nat static rule-set static-dst-nat rule active_sync_oh match destination-port 443
set security nat static rule-set static-dst-nat rule active_sync_oh then static-nat prefix 192.168.13.10/32
set security nat static rule-set static-dst-nat rule active_sync_oh then static-nat prefix mapped-port 443
set security nat static rule-set static-dst-nat rule active_sync_wfbdra match destination-address 86.103.130.72/32
set security nat static rule-set static-dst-nat rule active_sync_wfbdra match destination-port 443
set security nat static rule-set static-dst-nat rule active_sync_wfbdra then static-nat prefix 192.168.0.22/32
set security nat static rule-set static-dst-nat rule active_sync_wfbdra then static-nat prefix mapped-port 443
set security nat static rule-set static-dst-nat rule medifox_kisk match destination-address 86.103.130.69/32
set security nat static rule-set static-dst-nat rule medifox_kisk match destination-port 9740
set security nat static rule-set static-dst-nat rule medifox_kisk then static-nat prefix 192.168.20.28/32
set security nat static rule-set static-dst-nat rule medifox_kisk then static-nat prefix mapped-port 9740
set security nat static rule-set static-dst-nat rule medifox_ottendorf match destination-address 86.103.130.68/32
set security nat static rule-set static-dst-nat rule medifox_ottendorf match destination-port 9740
set security nat static rule-set static-dst-nat rule medifox_ottendorf then static-nat prefix 192.168.19.5/32
set security nat static rule-set static-dst-nat rule medifox_ottendorf then static-nat prefix mapped-port 9740
set security nat static rule-set static-dst-nat rule sophos_tf match destination-address 86.103.130.73/32
set security nat static rule-set static-dst-nat rule sophos_tf match destination-port 443
set security nat static rule-set static-dst-nat rule sophos_tf then static-nat prefix 192.168.8.9/32
set security nat static rule-set static-dst-nat rule sophos_tf then static-nat prefix mapped-port 443

Also "show security nat static rule all" shows no hits on any of my rules... 

Policies look good. Where is my mistake?

Thanks in advance!

Andy

Hi Folks!

I just changes back from static NAT to destination NAT and it worked!!

Thank you so much for your assistance!

Cheers

Andy