SRX

Hi,

I recently configured a static NAT entry, to access my internal mail server via my external ip address (due to my ssl certificate).

I've done this for many other mail servers in my company. This new one doesn't work as it should.

Strange thing is, that my Mac OS has no problems with this!

Here's what I see, when I access this IP:

Acess from Mac:

show security flow session source-prefix 192.168.8.39 destination-prefix 86.103.130.70    
node0:
--------------------------------------------------------------------------

Session ID: 13086, Policy name: intra_zone/286, State: Active, Timeout: 1770, Valid
  In: 192.168.8.39/57325 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 15, Bytes: 3586
  Out: 192.168.8.13/443 --> 192.168.8.110/40048;tcp, If: reth1.1, Pkts: 9, Bytes: 6785
Total sessions: 1

node1:
--------------------------------------------------------------------------

Session ID: 498650, Policy name: intra_zone/286, State: Backup, Timeout: 14384, Valid
  In: 192.168.8.39/57325 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 0, Bytes: 0
  Out: 192.168.8.13/443 --> 192.168.8.110/40048;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1

works fine!

Now from Windows (tried many):

show security flow session source-prefix 192.168.8.15 destination-prefix 86.103.130.70   
node0:
--------------------------------------------------------------------------

Session ID: 387543, Policy name: intra_zone/286, State: Active, Timeout: 8, Valid
  In: 192.168.8.15/61610 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 3, Bytes: 144
  Out: 192.168.8.13/443 --> 192.168.8.15/61610;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------

Session ID: 7543, Policy name: intra_zone/286, State: Backup, Timeout: 14392, Valid
  In: 192.168.8.15/61610 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 0, Bytes: 0
  Out: 192.168.8.13/443 --> 192.168.8.15/61610;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1

As you can see: The traffic going out is directly routed from 192.168.8.13 (mail server) to 192.168.8.15 (win PC) not NAT'ed to 192.168.8.110 (srx240).

Here's my static nat:

set security nat static rule-set static_nat_tf from zone transfair
set security nat static rule-set static_nat_tf from zone untrust

set security nat static rule-set static_nat_tf rule exch_tf_443 match destination-address 86.103.130.70/32
set security nat static rule-set static_nat_tf rule exch_tf_443 match destination-port 443
set security nat static rule-set static_nat_tf rule exch_tf_443 then static-nat prefix 192.168.8.13/32
set security nat static rule-set static_nat_tf rule exch_tf_443 then static-nat prefix mapped-port 443

policy:

show security policies from-zone transfair to-zone transfair 
node0:
--------------------------------------------------------------------------
From zone: transfair, To zone: transfair
  Policy: intra_zone, State: enabled, Index: 286, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

Am I overlooking something?

Regards

Andy

Hi MetzingerAn,

If you see in the second case where the traffic is not flowing the out or the return flow has 0 packets and 0 bytes, which means the return traffic is not coming to the firewall.

Please check what is causing the return traffic to fail in this case.

As you also pointed out the traffic for windows is not getting natted which is the issue .

Also I noted the security policy is from transfair to transfair while the static nat is from transfair to untrust.

Hello ,

So clearly this shows that the Static not is not hit which is ment to be hit . So here I guess we are doing Hairpin NAT , where in you are trying to access your internal web server using publich IP .

So as a work around can you try doing a source NAT interface from  "transfair" to transfare" and check if that helped .

Ref : http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639

Hi Sam,

therefor I have to delete my static NAT config, right?

What I don't understand is, why is this (static NAT) working with other mail servers?

Regards

Andy

Hi Sam,

what I totally forgot: I had already configured this for testing purposes months ago...

And what I configured in the source rule-set rule was only my mac (192.168.8.39/32)...

I changed it to 192.168.8.0/24 and gues what... 

Thanks Sam for pointing to my mistake

Andy

Hello MetzingerAn ,

Glad it helped