SRX

I am trying to reach other IPs outside my VLAN test network (Vlan 23 10.0.23.x). I can't ping anything but hosts within the VLAN and my outbound interface (untrust gateway IP). For example, the gateway x.x.x.x IP of the untrust can be pinged. But, I can't ping 8.8.8.8 for example (google DNS).

For example

MAC Address       Address         Name                      Interface           Flags
00:18:ba:87:dd:c3 10.0.23.2       10.0.23.2                 vlan.23             none
00:0e:d7:f2:b9:c0 10.0.23.101     10.0.23.101               vlan.23             none
00:1f:12:39:f8:3f 10.0.23.102     10.0.23.102               vlan.23             none

switch# ping 10.0.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Ping the untrust interface:

switch#ping xxx.xxx.xxx.206

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

I have a following configurations

my_VLAN {
    vlan-id 23;
    l3-interface vlan.23;
}

ge-0/0/4 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members my_VLAN;
            }
        }
    }
}

show security policies from-zone test to-zone untrust
policy test_to_internet {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

show security zones security-zone test
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        all;
    }
}
interfaces {
    vlan.23;
    ge-0/0/4.0;
}

root@host# run show route

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 1w3d 04:09:59
                    > to xxx.xxx.xxx.201 via ge-0/0/14.0
10.0.23.0/24       *[Direct/0] 6d 08:10:16
                    > via vlan.23
10.0.23.1/32       *[Local/0] 6d 13:17:53
                      Local via vlan.23
192.168.1.0/24     *[Direct/0] 6d 06:48:20
                    > via vlan.0
192.168.1.1/32     *[Local/0] 2w1d 13:55:39
                      Local via vlan.0
xxx.xxx.xxx.200/29    *[Direct/0] 1w3d 04:09:59
                    > via ge-0/0/14.0
xxx.xxx.xxx.206/32    *[Local/0] 3w0d 10:24:43
                      Local via ge-0/0/14.0

Hi,

Can you include your NAT configuration?  Typically you would Source NAT outbound traffic from trust to untrust.

I dont have a NAT configuration between my test vlan/zone and zone untrust. I guess I am used to ScreenOS and this would work via policy based routing.

But, in SRX/Junos one needs to configure a src NAT policy between zones? I thought the layer3 vlan would handle routing and security policies would determine security boundries.

TIA!

---

@wbathurst wrote:

I dont have a NAT configuration between my test vlan/zone and zone untrust. I guess I am used to ScreenOS and this would work via policy based routing.

 

But, in SRX/Junos one needs to configure a src NAT policy between zones? I thought the layer3 vlan would handle routing and security policies would determine security boundries.

 

TIA!

---

Your 10.x addresses won't be routable on the Internet, therefore NAT needs to happen somewhere.

If you're used to ScreenOS, I suspect that perhaps you had your untrust interface in "NAT" mode vs. "Route" mode on the ScreenOS box.

To do something like that in the SRX, you would do:

security {
  nat {
    source {
      rule-set default-source-NAT {
        from zone trust;
        to zone untrust;
        rule match-all {
          match {
            source-address 0.0.0.0/0;
          }
          then {
            source-nat {
              interface;
            }
          }
        }
      }
    }
  }
}

Thanks Kr!

A very related question then... So if I wanted to do a MIP (ScreenOS for Mapped IP) from untrust into an email server would it be similar? For example, if my untrust interface IP was 210.10.13.206/29 and internal email server 192.168.1.32. Any SMTP connections made to 210.10.13.206 would be forwarded to 192.168.1.32 port 25.

security {
  nat {
    source {
      rule-set default-source-NAT {
        from zone untrust;
        to zone trust; 
      }
      rule SMTP_TRAFFIC {
            match {
                destination-address 210.10.13.206/32;
                destination-port 25;
            }
            then {
                destination-nat pool dst-nat-pool-192_168_1_32-25;
            }
        }
    }
  }
}

pool dst-nat-pool-192_168_1_32-25 {
        address 192.168.1.32/32 port 25;
}

---

@wbathurst wrote:

Thanks Kr!

 

A very related question then... So if I wanted to do a MIP (ScreenOS for Mapped IP) from untrust into an email server would it be similar? For example, if my untrust interface IP was 210.10.13.206/29 and internal email server 192.168.1.32. Any SMTP connections made to 210.10.13.206 would be forwarded to 192.168.1.32 port 25.

---

ScreenOS MIP = Junos Static NAT

ScreenOS VIP = Junos Destination NAT

Those aren't 100% hard definitions, but they are the closest equivalents.  You can do some Destination NAT stuff with Static NAT, and vice-versa, but the basic concepts map similarly.

With Static NAT, a public IP maps to an internal IP, 1:1 corellation.  It's also bidirectional, incoming traffic is destination NATted to the private IP, and outgoing traffic is source NATted to the public IP.

Destination NAT is more like a VIP -- you can break down your public IP by ports and map each port to different internal addresses.

In the question you posed, since you're sharing the public IP of your untrust interface, you'd use destination NAT.

The example code you gave won't work, because you're defining destination NAT rules in your static NAT configuration.  Be careful to watch where you are in the configuration.  You were close, however... just be sure to keep your source and destination NAT rules separate:

security {
  nat {
    source {
      rule-set default-source-NAT {
        from zone trust;
        to zone untrust;
        rule match-all {
          match {
            source-address 0.0.0.0/0;
          }
          then {
            source-nat {
              interface;
            }
          }
        }
      }
    }
    destination {
      pool dst-nat-pool-192_168_1_32-25 {
        address 192.168.1.32/32 port 25;
      }
      rule-set Incoming-SMTP {
        from zone untrust;
        rule SMTP_TRAFFIC {
          match {
            destination-address 210.10.13.206/32;
            destination-port 25;
          }
          then {
            destination-nat pool dst-nat-pool-192_168_1_32-25;
          }
        }
      }
    }
  }
}