SRX SIP packets doesnt flow, instead ICMP

last person joined: 4 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX SIP packets doesnt flow, instead ICMP

Jump to Best Answer

1. SRX SIP packets doesnt flow, instead ICMP

0 Recommend
Erdem
Posted 12-15-2016 23:14

Reply Reply Privately
Hi.

network sheme is very simple:

LAN----ge0/0/0.15<SRX>vlan.100----ISP----10.3.7.81

(ISP have host with address from private netw)

So. My aster have address 192.168.77.122 and outgoing SIP session going through source nat rule:

pool PBX { address { 37.230.255.21/32; } } rule-set NAT { from zone trust; to zone untrust; rule NAT-PBX { match { source-address 192.168.77.122/32; } then { source-nat { pool { PBX; persistent-nat { permit target-host; inactivity-timeout 7200; } } } } } }

I have a problem with connecting to SIP peer with private address:

When I try to ping, I see packets in flow session and in wireshark

When I try to call I see packets in flow session:

Session ID: 175737, Policy name: internet-access/4, Timeout: 16, Valid In: 192.168.77.122/43112 --> 10.3.7.82/5060;tcp, If: ge-0/0/15.0, Pkts: 3, Bytes: 180 Out: 10.3.7.82/5060 --> x.x.x..21/13234;tcp, If: vlan.100, Pkts: 0, Bytes: 0

but I dont see, packets out from interface (port mirroring)

Where is the problem may ocure
2. RE: SRX SIP packets doesnt flow, instead ICMP

0 Recommend
Erdem
Posted 12-16-2016 09:07

Reply Reply Privately
Run a flow trace and see what is happening with the traffic.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
3. RE: SRX SIP packets doesnt flow, instead ICMP

0 Recommend
degel3030
Posted 12-16-2016 12:42

Reply Reply Privately
It may be that SIP ALG needs to be turned off on your end and the ISP end. I've been able to get double NAT like your setup working with SIP, but if both devices are trying to do SIP ALG you may get strange results.

4. RE: SRX SIP packets doesnt flow, instead ICMP

Recommend

Erdem

Posted 12-19-2016 06:31

I configure flow trace

[edit security flow]
noc@j240-1# show 
traceoptions {
    file dataflow.log size 10k files 2;
    flag basic-datapath;
    packet-filter pbx {
        source-prefix 192.168.77.122/32;
        destination-prefix 10.3.7.82/32;
    }
    packet-filter pbxReverse {
        source-prefix 10.3.7.82/32;
    }
}

Spoiler

noc@j240-1# run show log dataflow.log    
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:  permitted by policy internet-access(4)
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:  packet passed, Permitted by policy.
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:flow_first_src_xlate:  incoming src port is : 46698.
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/32773, pst_nat: True.
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:flow_first_pst_nat_xlate: pst nat binding found
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:  choose interface vlan.100(P2P) as outgoing phy if
 
Dec 19 11:18:08 11:18:08.465293:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.100, addr: 10.3.7.82, rtt_idx:0
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:-jsf : Alloc sess plugin info for session 249108252790
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT: Allocating plugin info block for plugin(26)
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:[JSF] set ext handle 0x4b9c5b50 for plugin 26 on session 249108252790
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT: Allocating plugin info block for plugin(12)
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT: Allocating plugin info block for plugin(31)
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:[JSF]Plugins(0x84001000, count 3) enabled for session = 249108252790, impli mask(0xc), post_nat cnt 0 svc req(0x5)
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:[JSF]c2s order list:
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               12
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               26
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               31
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:[JSF]s2c order list:
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               31
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               26
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:               12
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:  service lookup identified service 63.
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:  flow_first_final_check: in <ge-0/0/15.0>, out <vlan.100>
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:natp(0x59c8a318): no tcp sequence check(0x00000000) as 0x00010000.
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
 
Dec 19 11:18:08 11:18:08.465786:CID-0:RT:In flow_first_complete_session
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:flow_first_complete_session: pak_ptr is xlated packet
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51e331b0, nsp: 0x59c8a318, in_tunnel: 0x0
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:construct v4 vector for nsp2
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  existing vector list 0x9082-0x4b9d38e8.
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  Session (id:149622) created for first pak 9082
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:first pak processing successful
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  flow_first_install_session======> 0x59c8a318
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT: nsp 0x59c8a318, nsp2 0x59c8a3a8
                                        
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  make_nsp_ready_no_resolve()
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:flow_ipv4_rt_lkup success 192.168.77.122, iifl 0x58, oifl 0x58
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  route lookup: dest-ip 192.168.77.122 orig ifp ge-0/0/15.0 output_ifp ge-0/0/15.0 orig-zone 6 out-zone 6 vsd 0
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:  route to 10.2.0.250
 
Dec 19 11:18:09 11:18:08.465786:CID-0:RT:Doing jsf sess create notify
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:[JSF] set ext handle 0x49a684d8 for plugin 12 on session 249108252790
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:[JSF] set strm buf 0x498a2fd0 for plugin 12
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:-jsf create notify: plugin id 12. rc 0
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:[JSF] set strm buf 0x498a33c0 for plugin 26
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:-jsf create notify: plugin id 26. rc 3
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:[JSF] set ext handle 0x49a65d78 for plugin 31 on session 249108252790
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:[JSF] set strm buf 0x498a2e80 for plugin 31
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:-jsf create notify: plugin id 31. rc 0
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:no need update ha
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:Installing c2s NP session wing
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:Installing s2c NP session wing
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:first path session installation succeeded
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:Fwd packet with rtbl idx 0, cos 0, rl 8865360
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:flow_sess_reinject_pkt_for_sz_common:SPU reinject pkt for sz
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT:  flow need to reinject pkt.
 
Dec 19 11:18:09 11:18:08.466278:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 7)
 
 
Dec 19 11:18:09 11:18:08.466495:CID-0:RT:SPU received an event,type SESS_MSG_FLUSHED_PAK, common:3
 
Dec 19 11:18:09 11:18:08.466495:CID-0:RT:Rcv packet with rtbl idx 0, cos 0, rl 8865360
 
Dec 19 11:18:09 11:18:08.466495:CID-0:RT:SPU processing spu_flushed_pak, flag: 0x2, mbuf:0x0x43b87800
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:<192.168.77.122/46698->10.3.7.82/5060;6> matched filter pbx:
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:packet [60] ipid = 47538, @0x43b87a1c
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 21, common flag 0x803, mbuf 0x43b87800, rtbl_idx = 0
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:flow process pak, mbuf 0x43b87800, ifl 0, ctxt_type 21 inq type 6
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:change ifl to 0x58
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT: in_ifp <trust:ge-0/0/15.0>
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT: setting SZ flag in lpak 0x51e32f30, mbuf 0x43b87800, sess id 0x24876
 
Dec 19 11:18:09 11:18:08.466624:CID-0:RT:setting rtt to:0x609d7720 based on VR ID:0 carried over in flow ctxt,  proto 2(ipv4)
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x609d7720
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT:host inq check inq_type 0x6
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT:  flow session id 149622
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT: vector bits 0x9082 vector 0x4b9d38e8
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT:flow_tcp_wsf_update: wsf 7
 
Dec 19 11:18:09 11:18:08.466769:CID-0:RT: ****jsf svc chain: sess id 149622, dir 1, nat_done 0, pak pid 0, first pid 12
 
Dec 19 11:18:09 11:18:08.466846:CID-0:RT: plugin name junos-tcp-svr-emul. action JSF_SESSION_ACTION_NONE, stbuf 0x498a2fd0
 
Dec 19 11:18:09 11:18:08.466846:CID-0:RT: jsf resume sess id 149622, direction 1
 
Dec 19 11:18:09 11:18:08.466846:CID-0:RT:PKT-PROC for plugin junos-tcp-svr-emul jbuf 0x5d51cfe8, sess jsf flags 0x0, rc 9
 
Dec 19 11:18:09 11:18:08.466846:CID-0:RT: begin walk strm chain: sess id 149622, dir 1
 
Dec 19 11:18:09 11:18:08.466846:CID-0:RT:  walk: pid 12, prev stbuf 0x0, curr stbuf 0x498a2fd0, ignore 0
 
Dec 19 11:18:09 11:18:08.466945:CID-0:RT:  walk: pid 26, prev stbuf 0x498a2fd0, curr stbuf 0x498a33c0, ignore 0
 
Dec 19 11:18:09 11:18:08.466945:CID-0:RT:  Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[0], resume reqd[1]
 
Dec 19 11:18:09 11:18:08.466945:CID-0:RT:  walk: pid 31, prev stbuf 0x498a33c0, curr stbuf 0x498a2e80, ignore 0
 
Dec 19 11:18:09 11:18:08.467013:CID-0:RT:  Moved 0 bytes, rc=102. Prev tx empty[1], Curr Rx Empty[1], resume reqd[1]
 
Dec 19 11:18:09 11:18:08.467013:CID-0:RT:  total bytes moved 0, resume reqd 1
 
Dec 19 11:18:09 11:18:08.467013:CID-0:RT: after stream walk jb 0x5d51cfe8, rc 9, ctx.jb 0x0
 
Dec 19 11:18:09 11:18:08.467013:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51e32f30 associated with mbuf 0x43b87800
 
Dec 19 11:18:09 11:18:08.467013:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)
 
 
Dec 19 11:18:28 11:18:27.948476:CID-0:RT:jsf sess close notify
 
Dec 19 11:18:28 11:18:27.948476:CID-0:RT:flow_ipv4_del_flow: sess 149622, in hash 32
 
Dec 19 11:18:28 11:18:27.948476:CID-0:RT:flow_ipv4_del_flow: sess 149622, in hash 32
 
Dec 19 11:18:29 11:18:29.949631:CID-0:RT:jsf sess destroy notify
 
Dec 19 11:18:29 11:18:29.949631:CID-0:RT:[JSF] set strm buf 0x0 for plugin 12
 
Dec 19 11:18:29 11:18:29.950131:CID-0:RT:[JSF] set strm buf 0x0 for plugin 26
 
Dec 19 11:18:29 11:18:29.950131:CID-0:RT:[JSF] set ext handle 0x0 for plugin 26 on session 249108252790
 
Dec 19 11:18:29 11:18:29.950131:CID-0:RT:[JSF] set strm buf 0x0 for plugin 31

It look like packet goes not to untrust zone, right?

5. RE: SRX SIP packets doesnt flow, instead ICMP

0 Recommend
Erdem
Posted 12-19-2016 10:00

Reply Reply Privately
I would check your routing table to make sure the routing is correct.

6. RE: SRX SIP packets doesnt flow, instead ICMP

Recommend

Erdem

Posted 12-19-2016 23:08

Some kind of magic

ICMP packets flows to default route and NAT correctly

noc@j240-1> clear log dataflow.log    

noc@j240-1> show log dataflow.log     
Dec 20 03:54:21 03:54:21.777254:CID-0:RT:Installing s2c NP session wing
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:first path session installation succeeded
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:  flow got session.
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:  flow session id 161759
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT: vector bits 0x1200 vector 0x4b9c7790
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:flow_xlate_pak
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:flow_handle_icmp_xlate
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:xlate_icmp_pak
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:  post addr xlation: x.x.x.21->10.3.7.82.
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:  post addr xlation: x.x.x.21->10.3.7.82.
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
 
Dec 20 03:54:22 03:54:21.777254:CID-0:RT:mbuf 0x43ddf480, exit nh 0x5af722
 
Dec 20 03:54:22 03:54:21.777746:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
 
Dec 20 03:54:22 03:54:21.778731:CID-0:RT:<10.3.7.82/4676->37.230.255.21/6139;1> matched filter pbxReverse:
 
Dec 20 03:54:22 03:54:21.778744:CID-0:RT:packet [84] ipid = 6127, @0x43c9691c
 
Dec 20 03:54:22 03:54:21.778768:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x43c96700, rtbl_idx = 0
 
Dec 20 03:54:22 03:54:21.778768:CID-0:RT: flow process pak fast ifl 71 in_ifp vlan.100
 
Dec 20 03:54:22 03:54:21.778768:CID-0:RT:  vlan.100:10.3.7.82->x.x.x.21, icmp, (0/0)
 
Dec 20 03:54:22 03:54:21.778768:CID-0:RT: find flow: table 0x524dccd0, hash 49754(0xffff), sa 10.3.7.82, da 37.230.255.21, sp 4676, dp 6139, proto 1, tok 7
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:Found: session id 0x277df. sess tok 7
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:  flow got session.
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:  flow session id 161759
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT: vector bits 0x1200 vector 0x4b9c7790
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:flow_xlate_pak
                                        
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:flow_handle_icmp_xlate
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:xlate_icmp_pak
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:  post addr xlation: 10.3.7.82->192.168.77.122.
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:  post addr xlation: 10.3.7.82->192.168.77.122.
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT:mbuf 0x43c96700, exit nh 0x130010
 
Dec 20 03:54:22 03:54:21.778863:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
 
Dec 20 03:54:22 03:54:22.034944:CID-0:RT:jsf sess close notify
 
Dec 20 03:54:22 03:54:22.034944:CID-0:RT:flow_ipv4_del_flow: sess 240312, in hash 32
 
Dec 20 03:54:22 03:54:22.034944:CID-0:RT:flow_ipv4_del_flow: sess 240312, in hash 32
 
Dec 20 03:54:22 03:54:22.035083:CID-0:RT:jsf sess close notify
 
Dec 20 03:54:22 03:54:22.035083:CID-0:RT:flow_ipv4_del_flow: sess 221834, in hash 32
 
Dec 20 03:54:22 03:54:22.035083:CID-0:RT:flow_ipv4_del_flow: sess 221834, in hash 32
 
Dec 20 03:54:24 03:54:24.033782:CID-0:RT:jsf sess close notify
 
Dec 20 03:54:24 03:54:24.033782:CID-0:RT:flow_ipv4_del_flow: sess 11191, in hash 32
 
Dec 20 03:54:24 03:54:24.033782:CID-0:RT:flow_ipv4_del_flow: sess 11191, in hash 32
 
Dec 20 03:54:24 03:54:24.033866:CID-0:RT:jsf sess close notify
 
Dec 20 03:54:24 03:54:24.033866:CID-0:RT:flow_ipv4_del_flow: sess 161759, in hash 32
 
Dec 20 03:54:24 03:54:24.033866:CID-0:RT:flow_ipv4_del_flow: sess 161759, in hash 32

noc@j240-1> show route 10.3.7.82 detail           

inet.0: 32 destinations, 33 routes (32 active, 0 holddown, 0 hidden)
0.0.0.0/0 (1 entry, 1 announced)
        *Static Preference: 5
                Next hop type: Router, Next hop index: 1346
                Address: 0x16183ec
                Next-hop reference count: 4
                Next hop: x.x.x.17 via vlan.100, selected
                State: <Active Int Ext>
                Age: 3w6d 14:45:25 
                Task: RT
                Announcement bits (3): 0-KRT 4-Resolve tree 1 5-RT 
                AS path: I
                AS path: Recorded

noc@j240-1>

But SIP goes other way (as we seen in previos post) Can some one tell why?

Full config attached

Spoiler

## Last commit: 2016-12-19 11:17:20 GMT+3 by noc
version 12.1X47-D45.4;
system {
    host-name j240-1;
    time-zone GMT+3;
    root-authentication {
        encrypted-password  ## SECRET-DATA
    }
    name-server {
        192.168.4.13;
        192.168.4.33;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password  ## SECRET-DATA
            }
        }
        user noc {
            uid 1999;
            class super-user;
            authentication {
                encrypted-password  ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface ge-0/0/15.0;
            }
        }
        dhcp {
            pool 172.16.253.0/24 {
                address-range low 172.16.253.10 high 172.16.253.250;
                maximum-lease-time 2419200;
                default-lease-time 1209600;
                name-server {
                    8.8.8.8;
                }
                router {
                    172.16.253.1;
                }                       
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file traffic-log {
            any any;
            match RT_FLOW_SESSION;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 10.2.0.250;
    }
}
interfaces {
    traceoptions {
        file interface.log size 100k world-readable;
    }
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-100 vlan-101 ];
                }
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            tunnel {                    
                source 10.0.0.1;
                destination 10.0.0.2;
            }
            family inet {
                address 10.1.0.1/30;
            }
        }
    }
    ge-0/0/1 {
        speed 1g;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-100;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-200;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {                          
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        unit 0 {
            family inet {
                address 172.16.254.1/30;
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/14 {
        unit 0 {
            family inet {
                address 192.168.254.1/30;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family inet {
                inactive: filter {
                    input JFLOW;        
                }
                address 10.2.0.249/30;
            }
        }
    }
    lo0 {
        unit 1 {
            family inet {
                address 10.0.0.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        inactive: unit 10 {
            family inet {
                address 192.168.77.1/19;
            }
        }
        unit 100 {
            family inet {
                filter {
                    input port-mirror;
                    output port-mirror;
                }
                address x.x.x.30/28;
            }
        }
        unit 101 {
            family inet {
                address 172.16.253.1/24;
            }
        }
        unit 200 {
            family inet {
                address 10.10.0.1/24;
            }
        }
    }
}
forwarding-options {
    sampling {
        input {
            rate 10;                    
            run-length 0;
        }
        family inet {
            output {
                flow-inactive-timeout 15;
                flow-active-timeout 60;
                flow-server 10.2.0.62 {
                    port 2055;
                    version 5;
                }
            }
        }
    }
    port-mirroring {
        input {
            rate 1;
            run-length 10;
        }
        family inet {
            output {
                interface ge-0/0/14.0 {
                    next-hop 192.168.254.2;
                }
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop x.x.x.17;
        route 10.0.0.2/32 next-hop st0.0;
    }
    router-id 10.0.0.1;
}
protocols {
    ospf {
        traceoptions {
            file ospf.log size 100k world-readable;
            flag all;
        }
        area 0.0.0.0 {
            interface gr-0/0/0.0;
        }
        area 0.0.0.100 {
            interface ge-0/0/15.0 {
                hello-interval 3;
                dead-interval 9;
                authentication {        
                    md5 100 key  ## SECRET-DATA
                }
            }
            inactive: interface vlan.10;
            peer-interface ge-0/0/15.0 {
                hello-interval 3;
                dead-interval 9;
            }
        }
    }
    stp {
        disable;
    }
}
security {
    ike {
        traceoptions {
            file ike.log size 100k files 2 world-readable;
            flag database;
            flag all;
        }
        proposal ike-prop-mikrotik {
            description mikrotik_gre_ipsec;
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 1800;
        }
        policy ike-policy {
            mode main;
            proposals ike-prop-mikrotik;
            pre-shared-key ascii-text ## SECRET-DATA
        }
        gateway ike-gw-ml {
            ike-policy ike-policy;
            address 176.126.42.134;
            dead-peer-detection {
                always-send;
                interval 10;
                threshold 5;
            }
            no-nat-traversal;
            local-identity inet x.x.x.30;
            external-interface vlan.100;
        }
    }
    ipsec {                             
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 1800;
        }
        policy ipsec-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-proposal;
        }
        vpn ml {
            bind-interface st0.0;
            ike {
                gateway ike-gw-ml;
                no-anti-replay;
                proxy-identity {
                    local 10.0.0.1/32;
                    remote 10.0.0.2/32;
                    service any;
                }
                ipsec-policy ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address test 192.168.77.151/32;
            address network77 192.168.77.0/24;
            address ml 172.16.1.0/24;
            address vpn-gate 10.0.0.1/32;
            address office 192.168.4.0/22;
            address transit 10.2.0.248/30;
        }
    }
    flow {
        traceoptions {
            file dataflow.log size 10k files 2;
            flag basic-datapath;
            packet-filter pbx {
                source-prefix 192.168.77.122/32;
                destination-prefix 10.3.7.82/32;
            }                           
            packet-filter pbxReverse {
                source-prefix 10.3.7.82/32;
            }
        }
    }
    inactive: screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool test {
                address {
                    x.x.x.30/32;
                }
            }
            pool PBX {
                address {
                    x.x.x.21/32;
                }
            }
            rule-set NAT {
                from zone trust;
                to zone untrust;
                rule NAT-PBX {
                    match {
                        source-address 192.168.77.122/32;
                    }
                    then {
                        source-nat {
                            pool {      
                                PBX;
                                persistent-nat {
                                    permit target-host;
                                    inactivity-timeout 7200;
                                }
                            }
                        }
                    }
                }
                rule NAT-all {
                    match {
                        source-address [ 192.168.77.0/24 192.168.4.0/22 10.1.1.0/24 10.2.0.0/20 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-nat {
                from zone dmz;
                to zone untrust;
                rule nat {
                    match {
                        source-address 172.16.254.0/30;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule 1 {
                    match {
                        source-address 172.16.253.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set static {
                from zone untrust;      
                rule 1 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10111;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.11/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 2 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10121;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.12/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 3 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10131;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.13/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 4 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10141;
                    }
                    then {              
                        static-nat {
                            prefix {
                                192.168.77.14/32;
                                mapped-port 10141;
                            }
                        }
                    }
                }
                rule 5 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10151;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.15/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 6 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10161;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.16/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 7 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10171;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.17/32;
                                mapped-port 10101;
                            }
                        }               
                    }
                }
                rule 8 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10181;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.18/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 9 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10191;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.19/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 10 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10201;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.20/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 11 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10211;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.21/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 12 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 551 to 552;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.22/32;
                                mapped-port 551 to 552;
                            }
                        }
                    }
                }
                rule 13 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10231;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.23/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 14 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10241;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.24/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 15 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10251;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.25/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 16 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10261;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.26/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 17 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10271;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.27/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 18 {
                    match {             
                        destination-address x.x.x.30/32;
                        destination-port 10281;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.28/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }
                rule 19 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10182;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.18/32;
                                mapped-port 10102;
                            }
                        }
                    }
                }
                rule 20 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8080;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.236/32;
                                mapped-port 8080;
                            }
                        }
                    }
                }
                rule 21 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10142;
                    }
                    then {
                        static-nat {
                            prefix {    
                                192.168.77.14/32;
                                mapped-port 10102;
                            }
                        }
                    }
                }
                rule 22 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10282;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.28/32;
                                mapped-port 10102;
                            }
                        }
                    }
                }
                rule 23 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10172;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.17/32;
                                mapped-port 10102;
                            }
                        }
                    }
                }
                rule 25 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 20301;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.30/32;
                                mapped-port 10101;
                            }
                        }
                    }
                }                       
                rule 26 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 10112;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.11/32;
                                mapped-port 10102;
                            }
                        }
                    }
                }
                rule 27 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 585;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.236/32;
                                mapped-port 585;
                            }
                        }
                    }
                }
                rule 28 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8876;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.77/32;
                                mapped-port 8876;
                            }
                        }
                    }
                }
                rule 29 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 6020 to 6021;
                    }
                    then {              
                        static-nat {
                            prefix {
                                192.168.77.36/32;
                                mapped-port 5920 to 5921;
                            }
                        }
                    }
                }
                rule 30 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8032;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.32/32;
                                mapped-port 80;
                            }
                        }
                    }
                }
                rule 31 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8089;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.69/32;
                                mapped-port 8089;
                            }
                        }
                    }
                }
                rule 32 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8090;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.70/32;
                                mapped-port 8090;
                            }
                        }               
                    }
                }
                rule 33 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8085;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.22/32;
                                mapped-port 8085;
                            }
                        }
                    }
                }
                rule 34 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 70;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.75/32;
                                mapped-port 70;
                            }
                        }
                    }
                }
                rule 35 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8091;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.184/32;
                                mapped-port 8091;
                            }
                        }
                    }
                }
                rule 36 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8088;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.77/32;
                                mapped-port 80;
                            }
                        }
                    }
                }
                rule 37 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 2401;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.2/32;
                                mapped-port 3389;
                            }
                        }
                    }
                }
                rule 38 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 1082;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.88/32;
                                mapped-port 80;
                            }
                        }
                    }
                }
                rule 39 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 23389;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.131/32;
                                mapped-port 3389;
                            }
                        }
                    }
                }
                rule 40 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 28080;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.131/32;
                                mapped-port 8080;
                            }
                        }
                    }
                }
                rule 41 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 8071;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.135/32;
                                mapped-port 8071;
                            }
                        }
                    }
                }
                rule 42 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 577;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.135/32;
                                mapped-port 577;
                            }
                        }
                    }
                }
                rule 43 {
                    match {             
                        destination-address x.x.x.30/32;
                        destination-port 600 to 601;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.69/32;
                                mapped-port 600 to 601;
                            }
                        }
                    }
                }
                rule 44 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 602 to 603;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.70/32;
                                mapped-port 602 to 603;
                            }
                        }
                    }
                }
                rule 45 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 605 to 606;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.184/32;
                                mapped-port 605 to 606;
                            }
                        }
                    }
                }
                rule 46 {
                    match {
                        source-address [ 78.24.182.194/32 x.x.x.250/32 213.219.235.45/32 ];
                        destination-address x.x.x.21/32;
                        destination-port 5000 to 6000;
                    }
                    then {
                        static-nat {    
                            prefix {
                                192.168.77.122/32;
                                mapped-port 5000 to 6000;
                            }
                        }
                    }
                }
                rule 47 {
                    match {
                        inactive: source-address [ 78.24.182.194/32 x.x.x.250/32 213.219.235.45/32 ];
                        destination-address x.x.x.21/32;
                        destination-port 10000 to 20000;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.122/32;
                                mapped-port 10000 to 20000;
                            }
                        }
                    }
                }
                rule 48 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 6080 to 6081;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.135/32;
                                mapped-port 3080 to 3081;
                            }
                        }
                    }
                }
                rule 49 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 7783;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.83/32;
                                mapped-port 443;
                            }
                        }               
                    }
                }
                rule 50 {
                    match {
                        destination-address x.x.x.30/32;
                        destination-port 7784;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.77.84/32;
                                mapped-port 443;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface vlan.100 {
                address {
                    x.x.x.21/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy internet-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }                       
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy 123 {
                match {
                    source-address any;
                    destination-address network77;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
        from-zone trust to-zone trust {
            policy allowall {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        inactive: from-zone trust to-zone vpn {
            policy allow-any {
                match {
                    source-address network77;
                    destination-address ml;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        inactive: from-zone vpn to-zone trust {
            policy allow-any {
                match {
                    source-address ml;
                    destination-address network77;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone untrust {
            policy permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                inactive: vlan.10;
                ge-0/0/15.0;
                lo0.1;
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                gr-0/0/0.0;
            }
        }
        security-zone untrust {         
            inactive: screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
                protocols {
                    ospf;
                }
            }
            interfaces {
                vlan.100;
                vlan.200;
                ge-0/0/14.0;
            }
        }
        security-zone dmz {
            interfaces {
                ge-0/0/10.0;
                vlan.101 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter JFLOW {
            term 0 {
                then {
                    count JFLOW;
                    sample;
                    accept;
                }
            }
        }
    }
    filter port-mirror {
        term 1 {
            then {
                port-mirror;
                accept;
            }                           
        }
        term 2 {
            then accept;
        }
    }
}

services {
    flow-monitoring;
    user-identification {
        active-directory-access {
            domain blablabla.com {
                user {
                    juniper;
                    password ## SECRET-DATA
                }
                domain-controller dc1 {
                    address 192.168.4.13;
                }
                user-group-mapping {
                    ldap {
                        base DC=blablabla,DC=com;
                    }
                }
            }
        }
    }
}
vlans {
    inactive: vlan-10 {
        vlan-id 10;
        l3-interface vlan.10;
    }
    vlan-100 {
        vlan-id 100;
        l3-interface vlan.100;
    }
    vlan-101 {
        vlan-id 101;
        l3-interface vlan.101;
    }
    vlan-200 {
        vlan-id 200;
        l3-interface vlan.200;
    }
}

noc@j240-1>

7. RE: SRX SIP packets doesnt flow, instead ICMP
Best Answer

0 Recommend
Erdem
Posted 12-20-2016 09:40

Reply Reply Privately
Where does 10.3.7.82 route to? With SIP, the firewall ALG will look at the IP of the SIP message and nat/route according to that.

SRX

SRX SIP packets doesnt flow, instead ICMP

Erdem12-15-2016 23:14

Erdem12-16-2016 09:07

degel303012-16-2016 12:42

Erdem12-19-2016 06:31

Erdem12-19-2016 10:00

Erdem12-19-2016 23:08

Erdem12-20-2016 09:40Best Answer

1. SRX SIP packets doesnt flow, instead ICMP

2. RE: SRX SIP packets doesnt flow, instead ICMP

3. RE: SRX SIP packets doesnt flow, instead ICMP

4. RE: SRX SIP packets doesnt flow, instead ICMP

5. RE: SRX SIP packets doesnt flow, instead ICMP

6. RE: SRX SIP packets doesnt flow, instead ICMP

7. RE: SRX SIP packets doesnt flow, instead ICMP Best Answer

7. RE: SRX SIP packets doesnt flow, instead ICMP
Best Answer