SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  ScreenOS to SRX NAT issue

    Posted 04-11-2014 11:28
      |   view attached

    Hi,

     

    Working on migrating from a SSG20 to a SRX240. Used the Juniper conversion tool to convert the config with limited success.

     

    On the SRX, users can't get out to internet. I can ping the external/untrust interface from a remote system and can ping/ssh/https to the internal/trust interface from a local machine. I can also ping the default gateway - the upstream ISP router. But can't ping out to 4.2.2.2 or other public IPs.

     

    I think I have a source NAT issue from Trust to Untrust. I want everything going from Trust (on 10.110.1.1/22) to Untrust to be source NAT'ed to public IP  XX.XX.14.82/32.

     

    Also I can't ping the proxy arp IPs. Is this related somehow?

     

    Relevant config is attached. Please help me troubleshoot.

     

    Thank you!

    Attachment(s)

    txt
    config.txt   9 KB 1 version


  • 2.  RE: ScreenOS to SRX NAT issue

    Posted 04-11-2014 14:27

    🙂

     

    Before i got to bed!

     

    Two things

     

    one you can not ping the proxy arp ip address.

    THe srx is only listening and does not respond to it.

     

    for this to work correctly you need to ensure you have a D-NAT as well as S-NAT.

     

    If you have only S-NAT when traffic is coming back in the srx may throw a wobbly as it may not know where to route correctly.

     

    so step 1 set up proxy arp.

    step 2 make Dnat

    Step 3 make snat

    step 4 make policy to permit.

     

    http://www.tunnelsup.com/configuring-nat-in-juniper-srx-platforms-using-junos

     

    Its late here if needed i could work a config for u, pm me your settings 🙂

     

     



  • 3.  RE: ScreenOS to SRX NAT issue
    Best Answer

     
    Posted 04-11-2014 22:03

    Few observations:

     

    + You are using XXX.XXX.14.82 IP for both source translation and for static rule.

     

    Recommendation : For source translation you can use , interface based nat.

     

    + Please check if the policy is configured to allow this connection

     

    If still connection is not working then please pate the output of following command while you are trying to access internet from LAN

     

    show security flow session source-prefix x.x.x.x

     

     

    Regards

    Sarab

    ------------------------------------------------------------------------------------

    [If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]



  • 4.  RE: ScreenOS to SRX NAT issue

    Posted 04-14-2014 12:41
      |   view attached

    Hi there, thanks for the reply.

     

    I removed the static nat entries and changed the source NAT to use interface instead of pool.

     

    I then added new destination nat entries for all our public facing hosts/ports. Is this the equivalent of port forwarding to internal hosts?

     

    Also, will the proxy arp IPs work as dest-NAT destination-addresses?

     

    I don't have access to this SRX until Wednesday. Can't test the config until then. Updated config is attached.

     

    Thanks a bunch for your help!

    Attachment(s)

    txt
    fix-nat-config.txt   12 KB 1 version


  • 5.  RE: ScreenOS to SRX NAT issue

    Posted 04-14-2014 14:06

    Hello,

     

    I migrated a Juniper 5GT config to a SRX210 and I can confirm that the migration tool wasn't as helpful as intended.

     

    I used a rule-set for SNAT, because I had to SNAT two different subnets.

     

    nat {
        source {
            rule-set SNAT_Internal_to_Internet {
                description "SNAT internal to internet";
                from zone Internal;
                to zone Internet;
                rule SNAT_192_168_1_0 {
                    description "SNAT for bla";
                    match {
                        source-address 192.168.1.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                rule SNAT_192_168_2_0 {
                    description "SNAT for blub";
                    match {
                        source-address 192.168.2.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

     Hope this helps.

     

    DNAT (destination NAT) is a bit different from port forwarding, which is called PAT (Port and Address Translation). DNAT is used to translate ip addresses. PAT is used to translate ip addresses and port numbers. So to be precise, DNAT and port forwarding (PAT) are two different things. With proxy ARP a router can answer ARP requests for hosts, that aren't able to answer those ARP requests. Think about two network segments which are separated by a router. If the proxy ARP is enabled for both segments, the router will answer ARP requests with his mac-address and the clients will send their traffic to the router.

     



  • 6.  RE: ScreenOS to SRX NAT issue

    Posted 04-16-2014 04:31

    Got it working now.

     

    Changed the dnat's to static nats. This made for a much cleaner config and should work fine since I have one-to-one public IP to internal host mapping. I also fixed the source nat problem that was preventing internet access - changed it to use interface instead of a pool.

     

    I also found an issue with one of the policies rejecting traffic to the internal hosts - fixed that and things are working great now.

     

    Moral of the story - the Junos convertor tool works ok, but your config will still need to be reviewed in-depth.

     

    Thanks for your help!