SRX

Hi, guys,

I have a not-so-standard request from our application team, please refer to the following topoloyg:

HostA (192.168.0.1/24), HostB(192.168.0.2/24) -----> (SRX trusted interface 192.168.0.254) SRX (untrusted 1.2.3.254/24)

Host A and host B are on the same subnet with default gateway being SRX's trust interface, the two hosts are statically NAT'd to public IP addresses 1.2.3.1 and 1.2.3.2 respectively

Now application needs that hostA talk to hostB -- via their public DNS names, aks their public IP addresses (split DNS is not yet implemented), would SRX be able to do that?

Thanks,

You said "not yet" in there, so I'm guessing this would be "temporary" ...

I'm not sure if the SRX will do it, but you could hack the setup by assigning 1.2.3.1 and 1.2.3.2 as secondary IPs on Host A and Host B so they'd talk to each other.

Thanks, that hack won't work for us,  hosts are actually empheral (one reason why split DNS implementation is not trivial), the NAT entries on SRX are configured programatically.

Well, in that case, why not D-NAT + S-NAT from the trusted zone to the trusted zone...

Also, this:

http://66.129.228.18/techpubs/en_US/junos15.1x49-d60/topics/concept/nat-hairpinning-overview.html

Take a look at these articles and see if anyone address your situation

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639&actp=search

https://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/nat-hairpinning-configuring.html

https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/nat-hairpinning-overview.html

Since I have static NAT mapping for every host, I simply allowed intra-zone traffic in security policy and hairpining just worked!

As I understand you scenario, you will need to convert off of static nat and start using the combination of destination and source nat in order to accomplish the hairpin.  You should be able to do that programatically as well it will just be more configuration items.

Hello,

Can you give me relevant configuration of the existing NAT on the device for Host A & Host B?

I think there is a way to achieve this.

Regards,

Rushi

Hello,

Logically speaking, this should work with configuration below:

Part 1)  Add a context of zone trust (in addition to untrust) for the static NAT.

root# show security nat static
rule-set test {
from zone [ trust untrust ];
rule for-host-A {
match {
destination-address 1.2.3.1/32;
}
then {
static-nat {
prefix {
192.168.0.1/32;
}
}
}
}
rule to-host-B {
match {
destination-address 1.2.3.2/32;
}
then {
static-nat {
prefix {
192.168.0.2/32;
}
}
}
}
}

[edit]
root#

Part 2) Configure source NAT interface for any source in 192.168.1.0/24 subnet going to public IPs of Host A & Host B so that direct communication between two hosts can be avoided for the reply traffic.

root# show security nat source
rule-set hair-pin-part-1 {
from zone trust;
to zone trust;
rule hostA {
match {
source-address 192.168.1.0/24;
destination-address 1.2.3.1/32;
}
then {
source-nat {
interface;
}
}
}
}
rule-set hair-pin-part-2 {
from zone trust;
to zone trust;
rule hostB {
match {
source-address 192.168.1.0/24;
destination-address 1.2.3.2/32;
}
then {
source-nat {
interface;
}
}
}
}

Let me know if you have any query.

Regards,

Rushi