SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  external to internal loop back

    Posted 08-01-2013 11:37
    Hi guys,

    I have a customer with owa who has an external a record pointing to an ip address which has 443 directed to owa in iis.

    when using the external url. Eg mail.customer.co.UK externally he gets the owa page, however when using the same url internally it just times out.

    I am sure this is some thing to do with loopback

    how do I configure it ?

    Thanks


  • 2.  RE: external to internal loop back

    Posted 08-01-2013 15:14

    If they query DNS for the record on the internal network, do they get a response?

    (test with dig, host, nslookup, etc.)

     

    It could be a simple matter of publishing the record into the proper DNS view.  If it's an issue with private->public IP translation (NAT, load balancer, etc.) then perhaps the DNS ALG could be helpful, but I would be sure of the root cause of the issue before throwing possible fixes at it.

     



  • 3.  RE: external to internal loop back

    Posted 08-01-2013 23:50
    You can actually tracert the hostname nslookup the hostname and ping the hostname.

    I dont think its a Nat or dns is an issue, the website works fine externally, just internally cant be used with the external hostname.

    On the old zyxels, I had similar issue and it was resolved by putting in a loopback address.

    I am not sure if that's the correct way of doing it in the junipers. Thanks



  • 4.  RE: external to internal loop back

    Posted 08-02-2013 02:12

    keithr suggested verify proper dns configuration

    Additionally, here is a suggestion

    The solution will depend on the config. Is the DNS server located internally also?
    Unless you have disabled DNS ALG, it should already be enabled by default if you running some version 11.x or greater
    try to connect to the owa url from and internal host then
    >show security flow session
    >show security alg status | match dns

    post the output of this session and look where the response is coming from, that will tell you why the internal host cannot access it

    1-Try this:
    #set security nat destination pool owa-acess-in-2-out address <ip_owa_server>
    #set security nat destination rule-set int-owa-access from zone trust <your internal trust zone>
    #set security nat destination rule-set int-owa-access rule 1 match source-address <int_network/24>
    #set security nat destination rule-set int-owa-access rule 1 match destination-address <ext_owa/32>
    #set security nat destination rule-set int-owa-access rule 1 match destination-port 443
    #set security nat destination rule-set int-owa-access rule 1 then destination-nat pool owa-acess-in-2-out

     

    2-The solution may well be a source-nat rule for the local host to create a reverse NAT from the destination host (double NAT)



  • 5.  RE: external to internal loop back
    Best Answer

    Posted 08-02-2013 13:38

    I guys, Smiley Happy

     

    aftersome searching.. and speaking to a guy at juniper

    I did the following

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639

    How to setup Hairpin NAT

     



  • 6.  RE: external to internal loop back

    Posted 08-02-2013 13:44

    your soloution may work as well.

    (ive not tired it)

     

    but I have an internal DNS server (windows server 2008)

    DNS ALG is enabled on the router

     

    I had put the source and destination nats in, but it was wanting a trust to trust policy. This was created but at somepoint doing testing I had disabled it.