Hi,
I recently configured a static NAT entry, to access my internal mail server via my external ip address (due to my ssl certificate).
I've done this for many other mail servers in my company. This new one doesn't work as it should.
Strange thing is, that my Mac OS has no problems with this!
Here's what I see, when I access this IP:
Acess from Mac:
show security flow session source-prefix 192.168.8.39 destination-prefix 86.103.130.70
node0:
--------------------------------------------------------------------------
Session ID: 13086, Policy name: intra_zone/286, State: Active, Timeout: 1770, Valid
In: 192.168.8.39/57325 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 15, Bytes: 3586
Out: 192.168.8.13/443 --> 192.168.8.110/40048;tcp, If: reth1.1, Pkts: 9, Bytes: 6785
Total sessions: 1
node1:
--------------------------------------------------------------------------
Session ID: 498650, Policy name: intra_zone/286, State: Backup, Timeout: 14384, Valid
In: 192.168.8.39/57325 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Out: 192.168.8.13/443 --> 192.168.8.110/40048;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1
works fine!
Now from Windows (tried many):
show security flow session source-prefix 192.168.8.15 destination-prefix 86.103.130.70
node0:
--------------------------------------------------------------------------
Session ID: 387543, Policy name: intra_zone/286, State: Active, Timeout: 8, Valid
In: 192.168.8.15/61610 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 3, Bytes: 144
Out: 192.168.8.13/443 --> 192.168.8.15/61610;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1
node1:
--------------------------------------------------------------------------
Session ID: 7543, Policy name: intra_zone/286, State: Backup, Timeout: 14392, Valid
In: 192.168.8.15/61610 --> 86.103.130.70/443;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Out: 192.168.8.13/443 --> 192.168.8.15/61610;tcp, If: reth1.1, Pkts: 0, Bytes: 0
Total sessions: 1
As you can see: The traffic going out is directly routed from 192.168.8.13 (mail server) to 192.168.8.15 (win PC) not NAT'ed to 192.168.8.110 (srx240).
Here's my static nat:
set security nat static rule-set static_nat_tf from zone transfair
set security nat static rule-set static_nat_tf from zone untrust
set security nat static rule-set static_nat_tf rule exch_tf_443 match destination-address 86.103.130.70/32
set security nat static rule-set static_nat_tf rule exch_tf_443 match destination-port 443
set security nat static rule-set static_nat_tf rule exch_tf_443 then static-nat prefix 192.168.8.13/32
set security nat static rule-set static_nat_tf rule exch_tf_443 then static-nat prefix mapped-port 443
policy:
show security policies from-zone transfair to-zone transfair
node0:
--------------------------------------------------------------------------
From zone: transfair, To zone: transfair
Policy: intra_zone, State: enabled, Index: 286, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Am I overlooking something?
Regards
Andy