SRX Services Gateway
Reply
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Static-nat question

I currently have a static-nat configured with a single rule publishing http/https and it has been working well but now I have a need to add an additional web server hosting other webpages and I added a second rule listening on a seperate external IP (added to the proxy-arp table) and created policies to allow access from untrust to dmz for http/https on that internal IP. Now everything seemed to get sluggish and I get a lot of dropped connections on the first rule for the static-nat, should I have a seperate static-nat and rule for each machine on the dmz I publish? I am using 10.4R3.2 firmware.

 

I am currently working on splitting up my DMZ into anonymous and authenticated zones to see if that would make a difference.

 

Thanks

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Static-nat question

Hi,

 

I would recommend a single static NAT ruleset and a rule for each public IP.  Don't forget your proxy-arp entry and policies.  I'm not aware of any issues that would cause your issue.  Feel free to post your config and we can have a look.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
ccorkrum
Posts: 58
Registered: ‎01-26-2011
0

Re: Static-nat question

Thanks, I found the issue. At some point my secondary in the cluster took over and the routing engine "I think" didn't turn on, after restarting the whole cluster everything is working fine. What was odd though was my old rules continued to work but anything new that was being published to the internet failed. After reseting everything though all is good.

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Static-nat question

Thanks for the update. I would use "show chassis cluster status" to check the health of your cluster. Feel free to share the results.

John
John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.