SRX

Hi!

I have SRX100 (12.1R3.5) and trying to make some destination nat rules (portmap) to terminal servers behind SRX and can't really recognize the problem.

Dst nat config

root@srx100-spb# show security nat destination | display set
set security nat destination pool TS address 10.241.1.210/32
set security nat destination pool TS address port 3389
set security nat destination pool HV2 address 10.241.1.251/32
set security nat destination pool HV2 address port 33892
set security nat destination pool KC-10 address 10.241.1.128/32
set security nat destination pool KC-10 address port 3389
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule TS match destination-address 188.134.103.xx/32
set security nat destination rule-set dst-nat rule TS match destination-port 3389
set security nat destination rule-set dst-nat rule TS then destination-nat pool TS
set security nat destination rule-set dst-nat rule HV2 match destination-address 188.134.103.xx/32
set security nat destination rule-set dst-nat rule HV2 match destination-port 33892
set security nat destination rule-set dst-nat rule HV2 then destination-nat pool HV2
set security nat destination rule-set dst-nat rule KC-24 match destination-address 188.134.103.xx/32
set security nat destination rule-set dst-nat rule KC-24 match destination-port 33824
set security nat destination rule-set dst-nat rule KC-24 then destination-nat pool KC-24
set security nat destination rule-set dst-nat rule KC-10 match destination-address 188.134.103.xx/32
set security nat destination rule-set dst-nat rule KC-10 match destination-port 33810
set security nat destination rule-set dst-nat rule KC-10 then destination-nat pool KC-10

security zones config

root@srx100-spb# ...from-zone untrust to-zone trust | display set
set security policies from-zone untrust to-zone trust policy RDP_Policy match source-address any
set security policies from-zone untrust to-zone trust policy RDP_Policy match destination-address KC-10
set security policies from-zone untrust to-zone trust policy RDP_Policy match destination-address HV2
set security policies from-zone untrust to-zone trust policy RDP_Policy match destination-address TS
set security policies from-zone untrust to-zone trust policy RDP_Policy match application RDP_33810
set security policies from-zone untrust to-zone trust policy RDP_Policy match application RDP_33892
set security policies from-zone untrust to-zone trust policy RDP_Policy match application RDP_3389
set security policies from-zone untrust to-zone trust policy RDP_Policy then permit
set security policies from-zone untrust to-zone trust policy SIP_policy match source-address any
set security policies from-zone untrust to-zone trust policy SIP_policy match destination-address Asterisk_host
set security policies from-zone untrust to-zone trust policy SIP_policy match application any
set security policies from-zone untrust to-zone trust policy SIP_policy then permit

Applications config

root@srx100-spb# show applications | display set
set applications application RDP_3389 protocol tcp
set applications application RDP_3389 destination-port 3389
set applications application RDP_33891 protocol tcp
set applications application RDP_33891 destination-port 33891
set applications application RDP_33892 protocol tcp
set applications application RDP_33892 destination-port 33891
set applications application RDP_33824 protocol tcp
set applications application RDP_33824 destination-port 33824
set applications application RDP_33810 protocol tcp
set applications application RDP_33810 destination-port 33810

connection to 188.134.103.xx:3389 work great, I see Windows logon.

connection to 188.134.103.xx:33892 or connection to 188.134.103.xx:33810 doesn't work at all!

I can see hits of pools and rules, but can't connect!

root@srx100-spb# run show security nat destination pool all
Total destination-nat pools: 5

Pool name       : TS
Pool id         : 1
Total address   : 1
Translation hits: 11
Address range                        Port
   10.241.1.210 - 10.241.1.210       3389

Pool name       : HV
Pool id         : 2
Total address   : 1
Translation hits: 0
Address range                        Port
   10.241.1.240 - 10.241.1.240      33891

Pool name       : HV2
Pool id         : 3
Total address   : 1
Translation hits: 15
Address range                        Port
   10.241.1.251 - 10.241.1.251      33892

Pool name       : KC-24
Pool id         : 4
Total address   : 1
Translation hits: 3
Address range                        Port
   10.241.1.140 - 10.241.1.140       3389

Pool name       : KC-10
Pool id         : 5
Total address   : 1
Translation hits: 30
Address range                        Port
   10.241.1.128 - 10.241.1.128       3389

root@srx100-spb# run show security nat destination rule all
Total destination-nat rules: 5
Total referenced IPv4/IPv6 ip-prefixes: 5/0

Destination NAT rule: TS                   Rule-set: dst-nat
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
    Destination addresses    : 188.134.103.xx  - 188.134.103.xx

  Destination port           : 3389
  Action                     : TS
  Translation hits           : 11

Destination NAT rule: HV                   Rule-set: dst-nat
  Rule-Id                    : 2
  Rule position              : 2
  From zone                  : untrust
    Destination addresses    : 188.134.103.xx  - 188.134.103.xx

  Destination port           : 33891
  Action                     : HV
  Translation hits           : 0

Destination NAT rule: HV2                  Rule-set: dst-nat
  Rule-Id                    : 3
  Rule position              : 3
  From zone                  : untrust
    Destination addresses    : 188.134.103.xx  - 188.134.103.xx

  Destination port           : 33892
  Action                     : HV2
  Translation hits           : 15

Destination NAT rule: KC-24                Rule-set: dst-nat
  Rule-Id                    : 4
  Rule position              : 4
  From zone                  : untrust
    Destination addresses    : 188.134.103.xx  - 188.134.103.xx

  Destination port           : 33824
  Action                     : KC-24
  Translation hits           : 3

Destination NAT rule: KC-10                Rule-set: dst-nat
  Rule-Id                    : 5
  Rule position              : 5
  From zone                  : untrust
    Destination addresses    : 188.134.103.xx  - 188.134.103.xx

  Destination port           : 33810
  Action                     : KC-10
  Translation hits           : 30

Any ideas? any assist? I'm really going crazy =(

Thanks!

P.S. All terminal servers accepting connections to NOT default port from the other internal network clients.

Here's the problem for HV2 at least:

set applications application RDP_33892 destination-port 33891

Can't figure out KC-10 though, that looks like it should work. Can you confirm that the internal KC-10 server itself is listening on port 3389? Inbound traffic to port 33810 on the public IP will be port-translated to 3389 according to your NAT config.

---

@Spud wrote:

 

Here's the problem for HV2 at least:

 

set applications application RDP_33892 destination-port 33891

---

omg, I'm idiot...

thanks!

33892 now working.

33810 - no =(

Can you post the relevant address book entries for your trust zone?

---

@Spud wrote:

Can you post the relevant address book entries for your trust zone?

---

no, I'm idiot once more.

wrong addresses.

Thank you!

one more question about destination nat:

what is the best way to publish pptp server?

tcp 1723 - no problem, but how to nat GRE?

added:

set security nat destination rule-set dst-nat rule PPTP_Server match source-address 0.0.0.0/0
set security nat destination rule-set dst-nat rule PPTP_Server match destination-address 10.241.1.205/32
set security nat destination rule-set dst-nat rule PPTP_Server match destination-port 1723
set security nat destination rule-set dst-nat rule PPTP_Server then destination-nat pool RRAS

set security policies from-zone untrust to-zone trust policy PPTP match source-address any
set security policies from-zone untrust to-zone trust policy PPTP match destination-address RRAS_server
set security policies from-zone untrust to-zone trust policy PPTP match application junos-pptp
set security policies from-zone untrust to-zone trust policy PPTP then permit

tried with

set securuty alg pptp disabled

or

set securuty alg pptp enabled

no luck, neither 1723 opened neither any succesful pptp connection

after

set security nat destination rule-set dst-nat rule PPTP_Server match destination-address 188.134.103.xx/32

got 1723 opened, but no GRE =(

connection to 188.134.103.xx:33810 traceoption log (connection refused)

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: 188.134.103.xx(33810) to 10.241.1.128(3389), rule/pool id 5/32773.

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 188.134.103.69, x_dst_ip 10.241.1.128, in ifp fe-0/0/0.0, out ifp N/A sp 49322, dp 33810, ip_proto 6, tos 0

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:Doing DESTINATION addr route-lookup

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  routed (x_dst_ip 10.241.1.128) from untrust (fe-0/0/0.0 in 0) to vlan.0, Next-hop: 10.241.1.128

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  policy search from zone untrust-> zone trust (0x110,0xc0aa8412,0xd3d)

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  packet dropped, denied by policy

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  packet dropped,  policy deny.

Oct  5 19:34:17 19:34:17.184502:CID-0:RT:  flow find session returns error.

Oct  5 19:34:17 19:34:17.184502:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

connection to 188.134.103.xx:3389 traceoption log (connection accepted)

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: 188.134.103.xx(3389) to 10.241.1.210(3389), rule/pool id 1/32769.

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 188.134.103.69, x_dst_ip 10.241.1.210, in ifp fe-0/0/0.0, out ifp N/A sp 49323, dp 3389, ip_proto 6, tos 0

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:Doing DESTINATION addr route-lookup

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:  routed (x_dst_ip 10.241.1.210) from untrust (fe-0/0/0.0 in 0) to vlan.0, Next-hop: 10.241.1.210

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:  policy search from zone untrust-> zone trust (0x110,0xc0ab0d3d,0xd3d)

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:  policy has timeout 900

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:  app 0, timeout 1800s, curr ageout 20s

Oct  5 19:36:46 19:36:45.998010:CID-0:RT:  packet passed, Permitted by policy.

WHY?!

set security nat destination pool KC-10 address port 3389

Shouldn't that be port 33810?

---

@muttbarker wrote:

set security nat destination pool KC-10 address port 3389

 

Shouldn't that be port 33810?

---

nope =(

TS listen 3389

HV listen 33891

HV2 listen 33892

KC-10 listen 3389

so why connection to KC-10 and KC-24 must be with port change from 33810 to 3389 and 33824 to 3389.