SRX

hi all,

 

I'm totally stuck.

I'm trying to configure SRX210B  but can't get it work 😞

Would anyone care to help the newbie ?

Normally I'd put the config here, but it's just one big pile of nothing, so the best would be to just start from scratch.

 

details are as follow:

public (connection) subnet: 79.110.203.160/30. My ip beeing 161, my default gateway 162

my routed (DMZ) subnet is: 79.110.203.152/29

mu LAN subnet is: 192.168.1.0/24

 

now, there are few things.

I can't use connecting subnet for internet access, I have to SNAT my LAN traffic to any addres from DMZ

I'd like to terminate DMZ class on the router and use DNAT to pass traffic to some services in LAN, i.e.:

a) 79.110.203.153:2222 -> 192.168.1.254:22

b) 79.110.203.153:443 -> 192.168.1.200:443

c) 79.110.203.154:443 -> 192.168.1.201:443

 

also, I'd like to be able to acces SRX from internet via ssh on IP 79.110.203.153 and ping it from internet.

 

You'll probaply point me to various juniper KB articles, which I can assure you I already went through, but for some reason, couldn't make it work.

For example something as simple as:

set security zones security-zone untrust host-inbound-traffic system-services ping

just doesn't work on 79.110.203.161/30 nor 79.110.203.153/29

I'm probaply terminating DMZ subnet incorrectly, but I have no idea what I'm doing wrong 😞

 

Bit confusing, 79.110.203.153 IP doesnt belong to either your Public subnet nor to DMZ subnet.

 

Please clarify how is this IP rechable from ISP.

sorry for the typo, of course it should be 79.110.203.152/29 instead of 62.110..... 

I corrected the orginal post.

Would need some more clarification on the setup,

 

Is the connectiviy something like this :

 

LAN --------

                  |_________Untrust ========== ISP

                  |

DMZ -------

 

And the ISP will be setting a route on his end for the routed subnet (79.110.203.152/29) pointing to .161 i.e your device's untrust IP ?   If its not correct then could you please explain in brief how the connectivity is.

 

And regarding the ping not working on .161 IP , is the connectivity in other direction working fine i.e. are you able to ping some IP on internet while keeping .161 as source IP ?

 

Regards

Sarab

the connection scheme is exactly as you presented.

 

79.110.203.162/30(ISP)-----79.110.203.161/30(SRX210) ------- 192.168.1.0/24(LAN)

                                                                                                            \

                                                                                                               -- 79.110.203.152/29 (DMZ)

 

the only thing is, that I won't have any real machines having DMZ ips - I'd like SRX to have all the DMZ IPs (or the whole subnet) and to have all connections D-NATed to LAN machines:

 

to clarify it:

 

            (ISP)                                           (SRX)                                                       (LAN)

                                      |                                                                                |

79.110.203.162/30---|-----79.110.203.161/30(SRX210) ---------------|-- 192.168.1.0/24

                                      |                              |                                              /  |

                                      |                              v                                            /   |

                                      |   DMZ 79.110.203.152/29 (DMZ) --dnat-- /     |

                                      |                                                                                |

 

 

I'll check the PING from srx to the net in 3h and I'll get back to you ith the result.

 

I checked PING - doesn't work from SRX 😞

 

show security zones security-zone untrust

host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
ping;
traceroute;
}
}
}
}

Did you fix this?

I didn't 😞

I played with PING a little more. From SRX I can ping my own 79.110.203.161 IP and the gateway (79.110.203.162) but nothing beyond it. I guess ISP blocked it.

It would probably work if my src IP would be one of the DMZ IPs and not connection-class IP. As I wrote before I can access internet only by S-NATting via DMZ IP.

If that is the case, then ISP definelty would have blocked something from your interface IP Subnet.

 

Just to test if everything works from your DMZ subnet, could you please configure a loopback interface , assign it to some zone,give it an IP from DMZ subnet and then source the ping from this interface. If ping works then it will confirm

that internet access is working fine from your DMZ Pool.

After that you can configure an IP Pool with this DMZ subnet and use that in source NAt config for LAN subnet.

I was just working on it.

Ping works from lo0.0 (DMZ) iface.

After S-NATting lan traffic through 79.110.203.153/29 - internet acces works too.

 

After fiddling aroung trying different configurations, my config (I know it's messy) looka like this.

 

Still I don;t know a lot... i.e:

- how do I handle DMZ IPs - via proxy ARP on WAN iface ? or should I add those IP addresses to lo0.0 ?

- do I have to do some special routing from ge0/0/0 (connection-subnet) to lo0.0 so D-NAT would work ?

- with attached configuration pinging 79.110.203.153 from internet doesn't wotk (still) - what I am missing ?

 

First of all, no need for proxy ARP in this case, because ISP will be forwarding traffic for this network to your interface IP.

You have assigned '79.110.203.153' to loopback, for IP Pool used in source and destination NAt.
For testing purpose remove this IP from NAt config.

And since loopback is part of DMZ, so configure a policy from untrust to dmz allowing ping.

I removed all NAT (config attached) and ping started to work!

 

Now, obviously, I don't have internet access anymore (no S-NAT) but at least it's some progress 🙂

 

So, now, how to enable SNAT and then DNAT so icm would still work ?

ok, now current status is that I have

WAN to DMZ icmp working

LAN to WAN via DMZ S-NAT working

 

now I'm stuck on D-NAT

I'm trying to dnat 79.110.203.153:443 -> 192.168.1.254:443

 it doesn't seem to work no matter what I try

 

current config attached

Ok, Good progress.

 

Now you have 6 IPs in your pool. Since .153 is assigned to loopback hence could you please try using  .154 for destination nat and .155 for source nat pool and see how it goes.

 

Once you confirm the above I will guide you with next action items...

ok,

 

snat schwitched to .155

dnat is on .154

.153 is assigned to iface.

 

snat works

dnat - doesn't

 

 

current config attached

Few things needs to be corrected in current config :

 

1. You don't need a DMZ zone, because that subnet you got for NAT purpose can be used even without configuring a DMZ Zone. And the loopback which I had suggested earlier was just to test the connectivity from your device to internet.

 

2. Since the interface to which destination (192.168.1.254) is connected belongs to trust and the source will be coming from untrust, hence in destination NAt config use source zone as untrust and destination zone as trust.

 

3. Configure a policy from untrust to trust with source as any and destination 192.168.1.254/32 and application 443.

 

4. The proxy Arp config for  79.110.203.154/32 can be removed as it's not required.

 

I hope this should make it work.

 

 

Regards

Sarab
------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

ok, it sounds perfectly logical - I'll do it in a minute...

Question is, should I terminate 79.110.203.152/29 subnet  on srx at all ? Or do I only use it in NAT and security policies ?

 

[edit]

 

ok, done.

As a result ping for 79.110.203.153 is obviously gone. Is it possible to get it back without assigning or proxy-arp'ing 79.110.203.152/29 subnet ?

 

[edit]

current config attached

Are all the NAT configurations working as desired now ?

 

If you want to manage the device using 79.110.203.153 then you can configure the same loopback interface and assign it /32 IP i.e. 79.110.203.153/32 and manage it using ping, ssh , ssl whichever is the required.

 

Incase you dont want to use that subnet for management purpose then there is no need to configure any interface using that subnet, just use that in NAT config

 

it's getting closer and closer sarab 🙂

but DNAT still doesn't work

 

I noticed, that I can't telnet 192.168.1.254 port 443 from SRX via iface ge-0/0/1

do I need some rule allowing SRX to establish connections to trust zone ?

 

another thing is, how do I configure SRX so it would be able to connect to internet ? Currently it tries to go through ge-0/0/0 because that's where default gateway is. But in order SRX to be able to go to the internet I have to SNAT it via 79.110.203.153 IP too, am I right ?

Good to hear that we are almost there....

 

Port 443 being secure might not respond to telnet hence you may not be getting any response from SRX.

While you try to access this IP from outside, try checking the session on SRX and whether it shows the correct translation

 

get security flow session source-ip x.x.x.x <Your source IP on interne from where you are trying this access>

 

Regarding internet acess from SRX , is there any specific purpose for which you need internet acess from SRX ?

 

show security flow session source-prefix 78.47.82.221
Session ID: 7833, Policy name: wan-kairos/5, Timeout: 18, Valid
In: 78.47.82.221/60723 --> 79.110.203.154/443;tcp, If: ge-0/0/0.0, Pkts: 2, Bytes: 120
Out: 192.168.1.254/443 --> 78.47.82.221/60723;tcp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Total sessions: 1

 

I'm not exactly sure how to inteprete it... I can see 120 bytes went to LAN, but none came back...

I can of course access 192.168.1.254:443 from LAN without any problems so why SRX can't ?

Am I missing some policy on SRX ? 

 

 

Regarding SRX accessing internet, I'd like it to act as DNS forwarder, sync time with ntp server, etc

 

ok, we've got a success - DNAT works 🙂

Thank You sarab for your help, I really appreciate it.

 

there are some "features" still missing, like SRX internet access, accessing dnat'ed DMZ IPs from LAN, but most inmportant things work 🙂

Thank you again 🙂

Glad things are working fine on your side. 🙂

For SRX to access internet, try configuring source NAT to this subnet and keep source zone as junos-host.

This will NAT all traffic originated from SRX and hence allowing internet access.

sarab, src-nat for srx box worked like a charm 🙂

 

I'm still trying to make some stuff work though,

Is it possible to go from LAN through DMZ, via D-NAT back to LAN ?

the case is:

Being inside LAN, I'm calling https://server.example.com. This hostname resolves to 79.110.203.154, so my traffic should go from lan, through my default gateway (192.168.1.1), then from LAN to DMZ, then should be DNATed back to LAN to 192.168.1.254.

But, for some reason it doesnt work. I have a rule: from trust to dmz - permit all. DNAT from dmz to LAN is already there - this should work, should it ?

 

current config attached

Try the following KB link :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639

thanx sarab, it worked perfectly 🙂