ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Abdallah
Posts: 12
Registered: ‎08-27-2009
0

NAT-DST not working

Hi all I try to configure NAT-DST on ssg20.

I want to nat http traffic from the ADSL CARD to an internal server.

 

set policy id 3 from "Untrust" to "Trust"  "Any" "redirection" "HTTP" nat dst ip 1.1.1.1 permit
set policy id 3
set log session-init
exit

 

But, when i try to open http session. I don't have any response (time out)

 

Abdallah

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NAT-DST not working

Hi Abdallah

 

Have you made a route statement that routes the ip of "redirection" in to the trust-zone.

 

If you havent' made this route entry the traffic wil not hit the "nat dst ip 1.1.1.1

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Abdallah
Posts: 12
Registered: ‎08-27-2009
0

Re: NAT-DST not working

We have only one interface configured (in trust zone)

so we have a default route that routes all traffic from trust to untrust

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NAT-DST not working

Hi

 

What i mean is - When you do policy NAT (nat dst) you have to make a route statement that routes the public ip - in your case the ip of the object you call "redirection - from untrust to the trust-zone.

 

let's say that the ip of "redirection" is 2.1.1.1, and your trust-interface is ethernet2/1, then you will have to make the following route

 

set route 2.1.1.1/32 interface ethernet2/1

 

If this route is not in place you will never get the NAT from 2.1.1.1 to 1.1.1.1 to work.

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Abdallah
Posts: 12
Registered: ‎08-27-2009
0

Re: NAT-DST not working

the address of redirection is 1.1.1.1

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NAT-DST not working

Hi

 

Then the problem is this line:

 

set policy id 3 from "Untrust" to "Trust"  "Any" "redirection" "HTTP" nat dst ip 1.1.1.1 permit

 

if the ip of the address object "redirection" is 1.1.1.1 then you cannot use the same as nat dst.

 

As example if you have

 

Redirection = 1.1.1.1

 

And want to reach 192.168.1.10 the your policy have to be:

 

set policy id 3 from "Untrust" to "Trust"  "Any" "redirection" "HTTP" nat dst ip 192.168.1.10  permit

 

You still have to make a route statement in this case it could look like this:

 

set route 1.1.1.1/32 interface ethernet2/1

 

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Abdallah
Posts: 12
Registered: ‎08-27-2009
0

Re: NAT-DST not working

Always i have same problem.

What can i do?

Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NAT-DST not working

Hi

 

I was thinking.

 

What is ip-adress and subnet mask of your untrust interface.

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Super Contributor
Moerkholt
Posts: 169
Registered: ‎11-05-2007
0

Re: NAT-DST not working

Hi

 

I came to think which ScreenOS version are you running on.

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: NAT-DST not working

Hi Abdallah,

 

If the public IP you are going to NAT is located in the IP space (primary or secondary) of the Untrust interface the firewall has to reply the ARP requests for this address with its MAC. My preffered method to ensure this is to configure a DIP pool with this single address. More on this: KB10174 (esp. Solution 3).

I'm assuming that you have already configured both routes as explained above.

 

Kind regards,

Edouard

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.