SRX

Hi Everyone,

Please help. My static nat is not work.

A local computer with 192.168.1.154 and mapped the internet IP 1.1.1.13, when the computer browsing Internet, the Internet IP is 1.1.1.10 (WAN IP of SRX240) instead of 1.1.1.13 (the static NAT IP).

Attachment(s)

SRX240H2-static-nat-not-work.txt   38 KB 1 version

dear 

I quick checked your config , it should be OK , could you please post the output for the below command: 

show security flow session source-prefix 192.168.1.154

Regards

Red1

Thank you Red1. 220.241.34.146 is the real IP of the SRX240. The nat IP of 192.168.1.154 should be 220.241.34.147

Here is the output:

Session ID: 311782, Policy name: ws54/6, Timeout: 262, Valid
In: 192.168.1.154/4573 --> 131.253.13.140/80;tcp, If: vlan.0, Pkts: 4, Bytes:
1173
Out: 131.253.13.140/80 --> 220.241.34.146/5270;tcp, If: vlan.10, Pkts: 3, Byte
s: 765

Session ID: 311798, Policy name: ws54/6, Timeout: 274, Valid
In: 192.168.1.154/4574 --> 207.46.68.62/80;tcp, If: vlan.0, Pkts: 33, Bytes: 4
854
Out: 207.46.68.62/80 --> 220.241.34.146/18454;tcp, If: vlan.10, Pkts: 53, Byte
s: 72286

Session ID: 311804, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4575 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 12, Bytes:
3377
Out: 184.84.122.156/80 --> 220.241.34.146/29935;tcp, If: vlan.10, Pkts: 8, Byt
es: 2202

Session ID: 311820, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4576 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 4, Bytes:
666
Out: 184.84.122.156/80 --> 220.241.34.146/4407;tcp, If: vlan.10, Pkts: 3, Byte
s: 330

Session ID: 311823, Policy name: ws54/6, Timeout: 268, Valid
In: 192.168.1.154/4578 --> 111.221.29.16/80;tcp, If: vlan.0, Pkts: 6, Bytes: 2
603
Out: 111.221.29.16/80 --> 220.241.34.146/2199;tcp, If: vlan.10, Pkts: 3, Bytes
: 864

Session ID: 311824, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4579 --> 219.76.10.154/80;tcp, If: vlan.0, Pkts: 4, Bytes: 7
41
Out: 219.76.10.154/80 --> 220.241.34.146/23946;tcp, If: vlan.10, Pkts: 3, Byte
s: 376

Session ID: 311825, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4580 --> 111.221.29.30/80;tcp, If: vlan.0, Pkts: 4, Bytes: 1
087
Out: 111.221.29.30/80 --> 220.241.34.146/20405;tcp, If: vlan.10, Pkts: 2, Byte
s: 511

Session ID: 311826, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4581 --> 204.79.197.200/80;tcp, If: vlan.0, Pkts: 4, Bytes:
947
Out: 204.79.197.200/80 --> 220.241.34.146/32467;tcp, If: vlan.10, Pkts: 2, Byt
es: 188

Session ID: 311830, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4582 --> 111.221.21.49/80;tcp, If: vlan.0, Pkts: 5, Bytes: 1
080
Out: 111.221.21.49/80 --> 220.241.34.146/18250;tcp, If: vlan.10, Pkts: 4, Byte
s: 3230

Session ID: 311831, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4583 --> 111.221.21.49/80;tcp, If: vlan.0, Pkts: 7, Bytes: 2
032
Out: 111.221.21.49/80 --> 220.241.34.146/23081;tcp, If: vlan.10, Pkts: 6, Byte
s: 5860

Session ID: 311832, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4584 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 7, Bytes:
1191
Out: 184.84.122.156/80 --> 220.241.34.146/24780;tcp, If: vlan.10, Pkts: 6, Byt
es: 4007

Session ID: 311833, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4585 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 10, Bytes:
1634
Out: 184.84.122.156/80 --> 220.241.34.146/26781;tcp, If: vlan.10, Pkts: 13, By
tes: 14947

Session ID: 311834, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4586 --> 111.221.21.49/80;tcp, If: vlan.0, Pkts: 6, Bytes: 1
996
Out: 111.221.21.49/80 --> 220.241.34.146/20249;tcp, If: vlan.10, Pkts: 5, Byte
s: 3625

Session ID: 311835, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4587 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 7, Bytes:
1191
Out: 184.84.122.156/80 --> 220.241.34.146/25483;tcp, If: vlan.10, Pkts: 6, Byt
es: 3435

Session ID: 311836, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4588 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 7, Bytes:
697
Out: 184.84.122.156/80 --> 220.241.34.146/9038;tcp, If: vlan.10, Pkts: 9, Byte
s: 9277

Session ID: 311837, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4589 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 5, Bytes:
615
Out: 184.84.122.156/80 --> 220.241.34.146/15452;tcp, If: vlan.10, Pkts: 5, Byt
es: 3182

Session ID: 311838, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4590 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 5, Bytes:
1195
Out: 184.84.122.156/80 --> 220.241.34.146/14356;tcp, If: vlan.10, Pkts: 4, Byt
es: 608

Session ID: 311844, Policy name: ws54/6, Timeout: 266, Valid
In: 192.168.1.154/4591 --> 54.254.99.214/80;tcp, If: vlan.0, Pkts: 7, Bytes: 1
267
Out: 54.254.99.214/80 --> 220.241.34.146/2785;tcp, If: vlan.10, Pkts: 6, Bytes
: 4798

Session ID: 311845, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4592 --> 184.84.122.156/80;tcp, If: vlan.0, Pkts: 5, Bytes:
618
Out: 184.84.122.156/80 --> 220.241.34.146/15963;tcp, If: vlan.10, Pkts: 5, Byt
es: 3132

Session ID: 311846, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4593 --> 111.221.21.49/80;tcp, If: vlan.0, Pkts: 4, Bytes: 1
042
Out: 111.221.21.49/80 --> 220.241.34.146/31423;tcp, If: vlan.10, Pkts: 3, Byte
s: 1877

Session ID: 311847, Policy name: ws54/6, Timeout: 264, Valid
In: 192.168.1.154/4594 --> 111.221.21.49/80;tcp, If: vlan.0, Pkts: 4, Bytes: 1
042
Out: 111.221.21.49/80 --> 220.241.34.146/18331;tcp, If: vlan.10, Pkts: 3, Byte
s: 2257

Session ID: 311926, Policy name: ws54/6, Timeout: 268, Valid
In: 192.168.1.154/4601 --> 219.76.10.152/80;tcp, If: vlan.0, Pkts: 4, Bytes: 1
101
Out: 219.76.10.152/80 --> 220.241.34.146/6165;tcp, If: vlan.10, Pkts: 3, Bytes
: 380

Session ID: 311946, Policy name: ws54/6, Timeout: 268, Valid
In: 192.168.1.154/4602 --> 219.76.14.48/80;tcp, If: vlan.0, Pkts: 15, Bytes: 1
624
Out: 219.76.14.48/80 --> 220.241.34.146/26270;tcp, If: vlan.10, Pkts: 25, Byte
s: 33914

Session ID: 311960, Policy name: ws54/6, Timeout: 1770, Valid
In: 192.168.1.154/4609 --> 207.46.68.62/443;tcp, If: vlan.0, Pkts: 8, Bytes: 1
792
Out: 207.46.68.62/443 --> 220.241.34.146/26128;tcp, If: vlan.10, Pkts: 8, Byte
s: 5297

Session ID: 311994, Policy name: ws54/6, Timeout: 270, Valid
In: 192.168.1.154/4611 --> 173.241.248.7/80;tcp, If: vlan.0, Pkts: 5, Bytes: 6
86
Out: 173.241.248.7/80 --> 220.241.34.146/12601;tcp, If: vlan.10, Pkts: 3, Byte
s: 473

Session ID: 312039, Policy name: ws54/6, Timeout: 272, Valid
In: 192.168.1.154/4614 --> 74.121.143.253/80;tcp, If: vlan.0, Pkts: 4, Bytes:
665
Out: 74.121.143.253/80 --> 220.241.34.146/17167;tcp, If: vlan.10, Pkts: 3, Byt
es: 776

Session ID: 312050, Policy name: ws54/6, Timeout: 272, Valid
In: 192.168.1.154/4615 --> 74.121.141.85/80;tcp, If: vlan.0, Pkts: 4, Bytes: 6
48
Out: 74.121.141.85/80 --> 220.241.34.146/2410;tcp, If: vlan.10, Pkts: 3, Bytes
: 889

Session ID: 312051, Policy name: ws54/6, Timeout: 272, Valid
In: 192.168.1.154/4616 --> 173.194.127.250/80;tcp, If: vlan.0, Pkts: 6, Bytes:
1318
Out: 173.194.127.250/80 --> 220.241.34.146/21005;tcp, If: vlan.10, Pkts: 4, By
tes: 1713

Session ID: 312096, Policy name: ws54/6, Timeout: 274, Valid
In: 192.168.1.154/4618 --> 209.94.144.19/80;tcp, If: vlan.0, Pkts: 4, Bytes: 6
09
Out: 209.94.144.19/80 --> 220.241.34.146/12960;tcp, If: vlan.10, Pkts: 2, Byte
s: 306
Total sessions: 29

From the config,

VLAN.0  address 192.168.1.1/24   part of trust zone

VLAN.10 address 1.1.1.10/24      part of isp1 zone

As per nat configuration

    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone [ isp2 isp1 untrust ];
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;

Any packet coming from trust zone to isp2,isp1, untrust zone should get source nat using respective interface IP.

Let say, if a packet from 192.168.1.154 trust zone goes to internet via isp1 zone. As per above config, source IP get changed to 1.1.1.10

192.168.1.154  >> 1.1.1.10 (interface IP vlan.10 of isp1 zone); that's what happening.

Are you trying achieve something else? if yes, please explain.

Thanks,

Thanks SHKM,

Except the source NAT, I also set a static NAT for 192.168.1.154 with Internet IP 1.1.1.13. As I know, static NAT has higher priority than source NAT.

Hello,

---

@HelloWorld wrote:

Thanks SHKM,

 

Except the source NAT, I also set a static NAT for 192.168.1.154 with Internet IP 1.1.1.13. As I know, static NAT has higher priority than source NAT.

---

That's true but You have to remember that interface match is more specific than zone match.

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf page 5

During processing, it is possible for a packet to match more than one rule-set. To sort out this ambiguity, JUNOS always selects the rule-set with a more specific match. In particular, an interface match is considered more specific than a zone match, which in turn is more specific than a routing-instance match.

Please change this config line:

        static {
            rule-set isp1-mapping {
                from interface vlan.10;

to this:

        static {
            rule-set isp1-mapping {
                from zone untrust;

- then re-test and report back.

HTH

Thanks
Alex

Dear Alex 

the rule-set selection criterias under the same type of nat (souce , destination or static), but in our scenario , the static nat is the first one to process as per SRX traffic flow diagram , which means , it will not process the soure nat at all . 

Please correct me if I missunderstood your suggestion.

Regards

Red1

Thank you Alex! I am sorry to tell you that the static nat is still not working after I changed from interface to zone.

Sorry, I missed the Static nat.

Actually, Static nat should hit first. The rules are fine. A quick test, just deactivate/delete source nat and see if the flow hits static nat.

Thanks,

Hello,

---

@HelloWorld wrote:

Thank you Alex! I am sorry to tell you that the static nat is still not working after I changed from interface to zone.

---

Have You cleared the old sessions? Do you have "policy-rematch" configured?

Thanks
Alex

Hello 

did you check if the static NAT is working from outside to inside , in the logs , I can see that the interface based nat is being used instead of reverse static nat and only one entry (see below) that shows static nat from outside to inside 

nat_static_xlate: static xlate 220.241.34.147/6671 -> 192.168.1.154/6671

Hello 

I am still feeling that there is a config issue , could you please post static nat config section with the real IPs we are seeing them in the logs.

Could you please post also your traceoptions config , it seems to be not filtered !

Regards

Red1

---

@Red1 wrote:

Hello 

 

I am still feeling that there is a config issue , could you please post static nat config section with the real IPs we are seeing them in the logs.

 

Could you please post also your traceoptions config , it seems to be not filtered !

 

 

 

Regards

Red1

---

 Static nat:

Thanks , 

now we need to identify the cause why it is using interface based source nat , could you please enable traceoptions under [security nat]

Regards

The attached file is the log of security nat.

Attachment(s)

nat-trace.txt   121 KB 1 version

Any other suggestion?

Can you please contact Jtac with configuration? let get this one investigated further with Jtac.

Hello 

Your configuration looks well , but the behavior is not expected , so better to contact JTAC as suggested 

Regards

Red1

---

@Red1 wrote:

Hello 

 

did you check if the static NAT is working from outside to inside , in the logs , I can see that the interface based nat is being used instead of reverse static nat and only one entry (see below) that shows static nat from outside to inside 

nat_static_xlate: static xlate 220.241.34.147/6671 -> 192.168.1.154/6671

---

Red1,

You are right. The static NAT is working from outside.

---

@aarseniev wrote:

Hello,

 

---

@HelloWorld wrote:

Thank you Alex! I am sorry to tell you that the static nat is still not working after I changed from interface to zone.

---

Have You cleared the old sessions? Do you have "policy-rematch" configured?

Thanks
Alex

---

Alex,

It is same as before.

Hello again,

---

@HelloWorld wrote:

Thank you Alex! I am sorry to tell you that the static nat is still not working after I changed from interface to zone.

---

I might have gotten the "from zone" wrong, Your original SRX config shows vlan.10 is under "isp1" zone, so the config to try would be:

        static {
            rule-set isp1-mapping {
                from zone isp1;

Apologies for any confusion

HTH

Thanks

Alex

Hello 

next step , I would recommend to enable traceoptions under [security flow ] and [security nat] to find out why your SRX is ignoring static nat and using interface based source nat .

Regards

Red1 

Only this in log file for security nat

Feb 19 19:05:54 SRX240H2 clear-log[24695]: logfile cleared

The attachment is the log for security flow

Attachment(s)

flow-trace.txt   2.82 MB 1 version

You need proxy ARP