SRX

i have a very basic setup (i thought) with my SRX240.  I am only using 2 interfaces, and 2 zones.  Also i have a site-to-site VPN set up to another SRX, i think i used the wizard for that portion.

ge-0/0/0.0
164.58.206.2/25 {primary,preferred}
164.58.158.2/24

ge-0/0/1.0

172.16.0.1/22

I have SOURCE NAT configured and working from 172.0.0/22 to egress interface address.  I also configured a STATIC NAT for 164.58.206.10 to 172.16.0.10, and it works fine in both directions.

 

 

Now the part i cannot seem to get working:

I have a static mapping for 164.58.158.50 to 172.16.0.50, it does translate IN (untrust ips to it can access the webserver), but it will not translate OUT to the internet.

 

configuration is attached, does anyone have any suggestions why this doesnt work?

 

Thanks!

The configurations look correct to me.

 

I suspect the issue has to do with the fact that the working address is in the same subnet as the primary interface and the one that does not work outbound is not.

 

The only difference I see with your configuration and the standard examples is that the outbound direction has both relying on your general allow all out policy instead of having a specific outbound policy for the internal nat address.

 

You could try making a policy outbound for the non-working host alone.

 

Otherwise, kb21892 has some troubleshooting steps to gather more detailed information on what is happening in the nat process.

 

Troubleshoot Static nat

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21892

Thank you for checking over my config, i will work through the troubleshooting guide on monday.

I Think that you have a problem with asymitric routing 

One other question:

 

Now the part i cannot seem to get working:
I have a static mapping for 164.58.158.50 to 172.16.0.50, it does translate IN (untrust ips to it can access the webserver), but it will not translate OUT to the internet.

 Does the outbound traffic from 172.16.0.50 nat to the interface rule (164.58.206.2)  or does it fail to work at all?

outbound traffic from 172.16.0.50 does NOT nat to 164.58.206.2, it just doesnt seem to be going anywhere.

It seems that 172.16.0.50 IS hitting the correct static nat rule (nat-158-50), the counter does go up when i try to ping an external ip.  i also verified that the source nat rule counter does NOT increase when i try outbound traffic for 172.16.0.50.

i am also working through the troubleshooting guide that was posted.

It seems that all the policies are being hit properly.

 

INBOUND to 164.58.158.50 seems to NAT just fine.  the untrust to trust policy "nat-158-50" incrememnts, the nat rule increments, and traffic works.

however for OUTBOUND, when i try to ping an external IP from 172.16.0.50, the static nat rule "nat-158-50" increments.  Also, the "trust-to-untrust" rule counter is incremented (permit any any), but i am not sure how to verify if the traffic is actually leaving the untrust interface.

 

how would i set up a trace to see where the process is breaking down?  or if this is an asymmetric(?) routing issue as was suggested, how would i correct it?

 

Thanks

I think you have found a bug here and will need to open a ticket with JTAC.

 

how would i set up a trace to see where the process is breaking down?  

 The last two sections of the kb listed above shows the trace option setup steps for verifing the packet transit.  This data along with the information you have gathered above should speed your path to level 2 in JTAC.

 

or if this is an asymmetric(?) routing issue as was suggested, how would i correct it?

 I don't think so.  Aysymetical routing is when traffic reply goes into a different interface on the firewall than the one that originally sent the traffic.  This prevents the firewall from setting up the sessions properly and causes the traffic to be dropped.

 

In your case the inbound traffic working properly probably means your routing for hte server internally is correct and not asymetrical.

 

Steve,

 

Thank you very much for your help, i will try to gather more info and open a case tomorrow.

Check to see if the router is waiting for a reboot. Maybe restart the pfe. There is a case on here with some routing issue which required restarting the pfe.

I rebooted the SRX, and the issue persists.  I was hoping that would fix it 🙂

Ouch!

Ok, so I read the question over again and again and looked more carefully at the onfiguration: Now that I am thinking deeply, I think the soluion is to use address-persistent.

Here is an explanation:

user@host# set security nat source address-persistent

http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/address-persistent.html

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/id-11012.html#id-63402

And here is an explanation persistent nat; similar but for didfferent purpose:

Persistent NAT is intended for use with STUN client-server applications.

Any remote host—All requests from a specific internal IP address and port are mapped to the same external IP address and port. Any external host can send a packet to the internal host using the mapped external transport address when the incoming policy from external to internal is configured

 

as it turns out the issue is that i am an idiot...  this is in a test environment, and i had an upstream router that i thought i had configured properly, it turns out, i did not.

 

the config i posted works perfectly, the issue was my lab set up.  im sorry to have wasted you guys time 😞

Happens to the best of us:) Mark the case as resolved and the answer that the configuration was correct but upstream device failed