SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Static nat port range port overlaping.

    Posted 07-25-2015 05:28

    Hi all.

    I have SRX650 cluster and i need some nat configuration from one uplink port  to server cluster ip address.

    For some reason i have 3 ip address on uplink port and big range from this addresses to one cluster ip address.

    Configuration must be like this:

     

    set security nat static rule-set GCI-49 from zone GCI
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 match destination-address 10.1.49.50/32
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 match destination-port 8000
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 match destination-port to 9300
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 then static-nat prefix 192.168.101.111/32
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 then static-nat prefix mapped-port 8000
    set security nat static rule-set GCI-49 rule 8000-9300_to_front_from_49_50 then static-nat prefix mapped-port to 9300

     

    set security nat static rule-set GCI-49_53 from zone GCI49_53
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 match destination-address 10.1.49.53/32
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 match destination-port 8000
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 match destination-port to 9300
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 then static-nat prefix 192.168.101.111/32
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 then static-nat prefix mapped-port 8000
    set security nat static rule-set GCI-49_53 rule 8000-9300_to_front_from_49_53 then static-nat prefix mapped-port to 9300

     

     

    but commit do not pass because of port overlaping (the same range from 2 ip to 1 ip address)

     

    I confiure 10.1.49.53 address to another port and it should work, but i don not want to use 2 different interface.

    May be some better workaround available ?

     

    Please help.

     

     

     



  • 2.  RE: Static nat port range port overlaping.

    Posted 07-26-2015 04:09

    You will need to use Destination NAT for this application and not Static NAT.

     

    Static NAT means that the two ip addresses are connected on a 1-to-1 basis.  This is why you cannot do this for two different addresses.

     

    With Destination NAT you can forward multiple address/port combinations to the same server as you desire.

     

    you may find these examples helpful.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

     

    And troubleshooting collection for NAT

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB21922



  • 3.  RE: Static nat port range port overlaping.

    Posted 07-26-2015 05:02

    You are right, but i need port range which is not supported in dnat.

    I think it is not real to wright 1000 rules in DNAT ((((

     



  • 4.  RE: Static nat port range port overlaping.

     
    Posted 07-26-2015 22:54

    Hello ,

     

    I tested this in my lab box with exactly same configuration as your ( Junos 12.1X44-D20.3 ) . I was able to commit successfully .

     

    Did you try it Via CLI or J-Web . I tested with CLI and it was success for me :

     

    static {
        rule-set GCI-49 {
            from zone GCI;
            rule 8000-9300_to_front_from_49_50 {
                match {
                    destination-address 10.1.49.50/32;
                    destination-port 8000 to 9300;
                }
                then {
                    static-nat {
                        prefix {
                            192.168.101.111/32;
                            mapped-port 8000 to 9300;
                        }
                    }
                }
            }
        }
        rule-set GCI-49_53 {
            from zone GCI49_53;
            rule 8000-9300_to_front_from_49_53 {
                match {
                    destination-address 10.1.49.53/32;
                    destination-port 8000 to 9300;
                }
                then {
                    static-nat {
                        prefix {
                             192.168.101.111/32;
                            mapped-port 8000 to 9300;
                        }
                    }
                }
            }
        }
    }

       [edit]
    root@SRX# commit check
    configuration check succeeds

    [edit]
    root@SRX# commit
    commit complete.

     

    What is the error that you are getting when trying to commit  . Please paste the error output .



  • 5.  RE: Static nat port range port overlaping.

    Posted 07-27-2015 06:50

    Configuration which i post here is working, as i wrote i need the same in one zone and one interface.

    i have 3 ip address on reth1.0  (10.1.49.50, 10.1.49.51, 10.1.49.53) and from all i need nat to one ip address 192.168.101.111. Configuration should be like this:

    set security nat static rule-set GCI-49 from zone GCI
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 match destination-address 10.1.49.50/32
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 match destination-port 15000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 match destination-port to 16000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 then static-nat prefix 192.168.101.111/32
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 then static-nat prefix mapped-port 15000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_50 then static-nat prefix mapped-port to 16000

    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 match destination-address 10.1.49.52/32
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 match destination-port 15000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 match destination-port to 16000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 then static-nat prefix 192.168.101.111/32
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 then static-nat prefix mapped-port 15000
    set security nat static rule-set GCI-49 rule 15k-16k_to_front_from_49_52 then static-nat prefix mapped-port to 16000

     

    I understand that it is not normal for static nat, and i dont understand how but for example  Watchguard do it.

    Now i have to migrate from Watchguard to SRX and it is real pain. 

     

     



  • 6.  RE: Static nat port range port overlaping.
    Best Answer

     
    Posted 07-27-2015 23:07

    Hello ,

     

    So basically , you have 3 IPs in reth0 interface (10.1.49.50, 10.1.49.51, 10.1.49.53) and you need to have NAT then all to Single IP  192.168.101.111 on those same port range . If this is correct  , then we cannot achive this if we specify port range and it throws error on Static NAT .

     

    Instead of doing this create destination NAT rule without specifying ports and  allow only those ports that need access in Security policies . By this you will achive what you want and can block rest of the ports  using Security policies and check against security threats on other ports .

     

    This is an easy and simple fix for out issue .  Do not try to block everything using NAT , there is security policy and make use of it also  Smiley Wink

     

    set security nat destination pool test address 192.168.101.111/32
    set security nat destination rule-set test from zone GCI
    set security nat destination rule-set test rule 1 match destination-address 10.1.49.50/32
    set security nat destination rule-set test rule 1 then destination-nat pool test
    set security nat destination rule-set test rule 2 match destination-address 10.1.49.51/32
    set security nat destination rule-set test rule 2 then destination-nat pool test
    set security nat destination rule-set test rule 3 match destination-address 10.1.49.52/32
    set security nat destination rule-set test rule 3 then destination-nat pool test
    set security nat destination rule-set test rule 4 match destination-address 10.1.49.53/32
    set security nat destination rule-set test rule 4 then destination-nat pool test

     

     

    root@100-5# show security policies
    from-zone GCI to-zone trust {
        policy test {
            match {
                source-address clients ;
                destination-address [10.1.49.50 , 10.1.49.51, 10.1.49.52 , 10.1.49.53 ] ;
                application [TCP-15000-16000 , TCP-8000-9300 ];
            }
            then {
                permit;
            }
        }
    }

     

     

     



  • 7.  RE: Static nat port range port overlaping.

    Posted 07-28-2015 11:31

    Thank you !

    It is really a good solution

    But now i have one more problem. 

    This host (192.168.101.111) accept connection only from gateway (192.168.101.254) .

    How to do such configuration?

    I think that i should do one more source nat, something like this:

     

    set security nat source pool TRUST_ADDRESS address 192.168.101.254/32
    set security nat source rule-set to_CLUSTER from zone GCI
    set security nat source rule-set to_CLUSTER to zone servers
    set security nat source rule-set to_CLUSTER rule r1 match source-address 0.0.0.0/0
    set security nat source rule-set to_CLUSTER rule r1 match destination-address 192.168.101.111/32
    set security nat source rule-set to_CLUSTER rule r1 then source-nat pool TRUST_ADDRESS



  • 8.  RE: Static nat port range port overlaping.

     
    Posted 07-28-2015 21:55

    Hello ,

     

    Yes , that should do the trick .



  • 9.  RE: Static nat port range port overlaping.

    Posted 07-29-2015 02:19

    Thank you veru much for your answers!!!

    You save my day.

    God bless you!