SRX Services Gateway
Reply
Visitor
lookingspicy
Posts: 6
Registered: ‎03-19-2012
0

help needed on nat and Ae0 interface

1st Q: Interface ae0 is up on SRX-B side but physically down on EX2200-B but Physical ports (eth 0 and eth 1) are up and normal… please tell me what to do….no problem on switch

 

2nd Q : user behind SRX C and D should access servers behind SRX A and B with their real ip’s (no natted ip allowed) how i bypass nat on firewall or how to configure nat to perform this task.

 

SRX240-B

 

chassis {

    aggregated-devices {

        ethernet {

            device-count 2;

        }

    }

}

interfaces {

    ge-0/0/0 {

        gigether-options {

            802.3ad ae0;

        }                              

    }

    ge-0/0/1 {

        gigether-options {

            802.3ad ae0;

        }

    }

    ge-1/0/0 {

        unit 0 {

            family inet {

                address 10.1.1.2/29 {

                    vrrp-group 2 {

                        virtual-address 10.1.1.3;

                    }

                }

            }

        }

    }

    ae0 {

        unit 0 {

            family ethernet-switching {

                port-mode trunk;

                vlan {

                    members [ 102 500 ];

                }

            }

        }

    }

    vlan {

        unit 102 {

            family inet {              

                address 10.2.1.2/24 {

                    vrrp-group 1 {

                        virtual-address 10.2.1.3;

                        track {

                            interface ae0 {

                                priority-cost 10;

                            }

                        }

                    }

                }

            }

        }

        unit 500 {

            family inet {

                address 172.23.1.8/24;

            }

        }

    }

}

protocols {

    rstp;

}

security {                             

    nat {

        source {

            rule-set trust-to-untrust {

                from zone trust;

                to zone untrust;

                rule source-nat-rule {

                    match {

                        source-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                       }

 

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }                          

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;

                }

                land;

            }

        }

    }

    zones {

        security-zone trust {

            host-inbound-traffic {

                system-services {

                    all;

                }

                protocols {            

                    all;

                }

            }

            interfaces {

                ae0.0;

            }

        }

        security-zone untrust {

            screen untrust-screen;

        }

    }

    policies {

        from-zone trust to-zone untrust {

            policy trust-to-untrust {

                match {

                    source-address any;

                    destination-address any;

                   application any;

                }

                then {

                    permit;

}

vlans {

    Li-Servers {

        vlan-id 102;

        l3-interface vlan.102;

    }

    MGMT {

        vlan-id 500;

        l3-interface vlan.500;

    }

    vlan-trust {

        vlan-id 3;

        l3-interface vlan.0;

 

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: help needed on nat and Ae0 interface

[ Edited ]

Hi,

 

1st. q, could you show your switch config? else there's a lengthy kb on this: http://kb.juniper.net/InfoCenter/index?page=content&id=KB19798&smlogin=true

2nd. q, depending on your zones/nat configuration (I can see your configuration is far from done as there are no interfaces for untrust) you either just don't configure any nat for that flow at all, or if you just want a subnet or so using their real address, and the rest using interface source nat.

then it would look like your existing nat rule-set with different from/to zone, with one top rule matching the subnet you don't want to nat with action source-nat off, and then another rule below it, matching source-address 0.0.0.0/0 and source-nat interface.

Then your clients from the specific subnet won't get natted, but the rest will.

Example config:

 

rule-set untrust-to-trust {
    from zone untrust;
    to zone trust;
    rule no-nat-for-subnet {
        match {
            source-address 192.168.1.0/24;
        }
        then {
            source-nat {
                off;
            }
        }
    }
    rule nat-rest {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

 

 

 

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Recognized Expert
ronf
Posts: 238
Registered: ‎04-04-2011
0

Re: help needed on nat and Ae0 interface

Also, from your SRX configuration, it does not appear that all of your interfaces are defined to be in a security zone. I would go ahead and put all of the logical interfaces into some zone so that policy and host-inbound-traffic rules can be properly applied. Ron
JNCIE-SEC #127
Visitor
lookingspicy
Posts: 6
Registered: ‎03-19-2012
0

Re: help needed on nat and Ae0 interface

Thanks for the reply.

 

on switch lacp was configured active n now I configured same on firewall side and it is working fine.

 

to avoided nat I configured like that but I need to configure untrust zone. so for that I should use nat(what I think). that’s why I was asking. there are total 4 firewall pairs in our design. 3 for servers and one for users. And servers will communicate with each other.

 

 

Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009
0

Re: help needed on nat and Ae0 interface

[ Edited ]

With LACP Configuration , one side should be active & the other should be passive . having both the same is not the correct setup 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.