Junos OS

Hi people,

I am new to Junos. I want to work out a simple Junos-ES Nat setup, but it doesn' work like I want.

Can you please check my config, if there is a misktake I doesn't see.

Public-IP is 123.123.156.82/28

Public-Nat-IP should be 123.123.156.83/32

this IP should natted to 192.168.0.98/32

version 9.2R1.10;
system {
    host-name edge3;
    domain-name xxx.de;
    domain-search xxx.de;
    time-zone Europe/Berlin;
    arp {
        aging-timer 240;
    }
    location country-code de;
    root-authentication {
        encrypted-password  ## SECRET-DATA
        ssh-dsa ## SECRET-DATA
    }
    name-server {   
        192.168.0.35;
    }
    services {
        ssh {
            root-login allow;
            protocol-version v2;
            connection-limit 5;
            rate-limit 10;
        }
        web-management {
            http {
                interface [ ge-0/0/0.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }           
        file interactive-commands {
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 192.168.0.35;
    }
}
interfaces {
    ge-0/0/0 {
        description LAN-SW1;
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    ge-0/0/1 {      
        description UPLINK;
        unit 0 {
            family inet {
                address 123.123.156.82/28;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
snmp {
    community granat {
        authorization read-only;
        clients {
            192.168.0.35/32;
        }
    }
}                   
routing-options {
    static {
        route 0.0.0.0/0 next-hop 123.123.156.81;
    }
}
security {
    nat {
        interface ge-0/0/1.0 {
            static-nat 123.123.156.83/32 host 192.168.0.98/32;
        }
    }
    inactive: screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood;
                land;
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address www-untrust 123.123.156.83/32;
            }
            inactive: screen untrust-screen;
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone untrust to-zone junos-global {
            policy incoming {
                match {
                    source-address any;
                    destination-address static_nat_123.123.156.83_32;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
}

ok I found a solution:

security {
    nat {
        interface ge-0/0/1.0 {
            allow-incoming;
            static-nat 91.90.156.83/32 host 192.168.0.98/32;
        }
}

The "allow-incoming" makes the thing working.

Is this the right point?

The allow-incoming statement shouldn't be required to get static NAT to work. I would suggest enabling flow traceoptions (with allow-incoming statement removed). An example of flow traceoptions is below:

[edit security flow]
lab@router# show
traceoptions {
    file size 4m world-readable;
    flag basic-datapath;
    packet-filter match-incoming {
        destination-prefix 1.1.1.1/32;
    }
}

The above example would capture any traffic with destination IP of 1.1.1.1 or in your case your public static NAT address. The output would write to security-trace log. This should tell us how the router is handling the traffic for your static NAT.

-Richard

 Hi Richard,

thank yor for your help.

Here we are - I activated the logging and this is the result.

Can you see what makes the trouble?

Oct  6 17:40:44 17:40:44.619817:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:44 17:40:44.619838:CID-0:RT:packet [64] ipid = 37029, @4994af8e
 
Oct  6 17:40:44 17:40:44.619855:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:44 17:40:44.619917:CID-0:RT:  flow_first_sanity_check: in <ge-0/0/1.0>, out <N/A>
 
Oct  6 17:40:44 17:40:44.619945:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A>
 
Oct  6 17:40:44 17:40:44.619952:CID-0:RT:  flow_first_in_dst_nat: dst_adr 123.123.156.83, sp 60196, dp 80
 
Oct  6 17:40:44 17:40:44.619966:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
 
Oct  6 17:40:44 17:40:44.619975:CID-0:RT:  flow_first_routing: Before route-lookup ifp: in <ge-0/0/1.0>, out <N/A>
                    
Oct  6 17:40:44 17:40:44.619982:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 123.123.156.81, x_dst_ip 192.168.0.98, ifp ge-0/0/1.0, sp 60196, dp 80, ip_proto 6, tos 0
 
Oct  6 17:40:44 17:40:44.619998:CID-0:RT:Doing DESTINATION addr route-lookup
 
Oct  6 17:40:44 17:40:44.620015:CID-0:RT:Doing SOURCE addr route-lookup
 
Oct  6 17:40:44 17:40:44.620023:CID-0:RT:  routed (x_dst_ip 192.168.0.98) from ge-0/0/1.0 (ge-0/0/1.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.0.98
 
Oct  6 17:40:44 17:40:44.620062:CID-0:RT:  policy search from zone (untrust) 7-> zone (trust) 6
 
Oct  6 17:40:44 17:40:44.620090:CID-0:RT:   policy found 7
 
Oct  6 17:40:44 17:40:44.620099:CID-0:RT:No src xlate
 
Oct  6 17:40:44 17:40:44.620105:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
 
Oct  6 17:40:44 17:40:44.620114:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 192.168.0.98, rtt_idx:0
 
Oct  6 17:40:44 17:40:44.620126:CID-0:RT: Using app_id from service lookup 6
 
Oct  6 17:40:44 17:40:44.620132:CID-0:RT:  session application type 6, name junos-http,  timeout 1800sec, alg 0
 
Oct  6 17:40:44 17:40:44.620141:CID-0:RT:1 application is not interested
 
Oct  6 17:40:44 17:40:44.620148:CID-0:RT:flow_first_service_lookup(): pak_ptr(0x4889e31c.0x4994ade0): set_av: 0.
 
Oct  6 17:40:44 17:40:44.620160:CID-0:RT:  service lookup identified service 0.
 
Oct  6 17:40:44 17:40:44.620168:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/0.0>
 
Oct  6 17:40:44 17:40:44.620182:CID-0:RT:  existing vector list 49-59cb3eb8.
 
Oct  6 17:40:44 17:40:44.620192:CID-0:RT:  existing vector list 0-59c84fd0.
 
Oct  6 17:40:44 17:40:44.620201:CID-0:RT:  Session (id:13) created for first pak 49
 
Oct  6 17:40:44 17:40:44.620209:CID-0:RT:  flow_first_install_session======> 0x4c8a59a8
 
Oct  6 17:40:44 17:40:44.620218:CID-0:RT: nsp 0x4c8a59a8, nsp2 0x4c8a5a00
 
Oct  6 17:40:44 17:40:44.620233:CID-0:RT: 5 tuple sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6
 
Oct  6 17:40:44 17:40:44.620247:CID-0:RT: set route old fto 0x59c5e3f0, new fto 0x59c5e3f0
 
Oct  6 17:40:44 17:40:44.620259:CID-0:RT: 5 tuple sa 192.168.0.98, da 123.123.156.81, sp 80, dp 60196, proto 6
 
Oct  6 17:40:44 17:40:44.620271:CID-0:RT: set route old fto 0x59c63130, new fto 0x59c63130
 
Oct  6 17:40:44 17:40:44.620298:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:44 17:40:44.620307:CID-0:RT:  tcp proxy processing...
                    
Oct  6 17:40:44 17:40:44.620314:CID-0:RT:syn_received ret 0
 
Oct  6 17:40:44 17:40:44.620320:CID-0:RT:  tcp proxy processing returns 0...
 
Oct  6 17:40:44 17:40:44.620327:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:44 17:40:44.620335:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:44 17:40:44.620342:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:44 17:40:44.620355:CID-0:RT:mbuf 0x4994ade0, exit nh 0x40010
 
Oct  6 17:40:45 17:40:44.1382375:CID-0:RT:Using in_ifp from pfe_tag with index 0
 
Oct  6 17:40:45 17:40:44.1382386:CID-0:RT:Using vr id from pfe_tag with value= 0
 
Oct  6 17:40:45 17:40:44.1382392:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
 
Oct  6 17:40:45 17:40:44.1382400:CID-0:RT:Over-riding lpak->vsys with 0
 
Oct  6 17:40:45 17:40:45.559726:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:45 17:40:45.559748:CID-0:RT:packet [64] ipid = 35312, @498f9b8e
 
Oct  6 17:40:45 17:40:45.559764:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:45 17:40:45.559786:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:45 17:40:45.559798:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:45 17:40:45.559807:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:45 17:40:45.559814:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:45 17:40:45.559826:CID-0:RT:mbuf 0x498f9a00, exit nh 0x40010
 
Oct  6 17:40:46 17:40:46.561277:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:46 17:40:46.561297:CID-0:RT:packet [64] ipid = 53219, @498500ee
                    
Oct  6 17:40:46 17:40:46.561313:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:46 17:40:46.561334:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:46 17:40:46.561346:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:46 17:40:46.561355:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:46 17:40:46.561361:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:46 17:40:46.561374:CID-0:RT:mbuf 0x4984ff40, exit nh 0x40010
 
Oct  6 17:40:47 17:40:47.562334:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:47 17:40:47.562353:CID-0:RT:packet [48] ipid = 45529, @498ad40e
 
Oct  6 17:40:47 17:40:47.562370:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:47 17:40:47.562391:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:47 17:40:47.562403:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:47 17:40:47.562412:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:47 17:40:47.562418:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:47 17:40:47.562431:CID-0:RT:mbuf 0x498ad280, exit nh 0x40010
 
Oct  6 17:40:48 17:40:48.563938:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:48 17:40:48.563958:CID-0:RT:packet [48] ipid = 62189, @4989a22e
 
Oct  6 17:40:48 17:40:48.563974:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:48 17:40:48.563995:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:48 17:40:48.564007:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:48 17:40:48.564016:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:48 17:40:48.564022:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:48 17:40:48.564035:CID-0:RT:mbuf 0x4989a0a0, exit nh 0x40010
 
Oct  6 17:40:49 17:40:49.565510:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:49 17:40:49.565530:CID-0:RT:packet [48] ipid = 53939, @498599ce
 
Oct  6 17:40:49 17:40:49.565546:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:49 17:40:49.565568:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:49 17:40:49.565579:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:49 17:40:49.565588:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:49 17:40:49.565595:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
                    
Oct  6 17:40:49 17:40:49.565607:CID-0:RT:mbuf 0x49859840, exit nh 0x40010
 
Oct  6 17:40:51 17:40:51.568174:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:51 17:40:51.568194:CID-0:RT:packet [48] ipid = 15584, @498c05ee
 
Oct  6 17:40:51 17:40:51.568210:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:51 17:40:51.568232:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:51 17:40:51.568243:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:51 17:40:51.568252:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:51 17:40:51.568259:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:51 17:40:51.568271:CID-0:RT:mbuf 0x498c0460, exit nh 0x40010
 
Oct  6 17:40:55 17:40:55.573477:CID-0:RT:<123.123.156.81/60196->123.123.156.83/80;6> matched filter match-incoming: <untrust/ge-0/0/1.0>
 
Oct  6 17:40:55 17:40:55.573497:CID-0:RT:packet [48] ipid = 56491, @49123.123.
 
Oct  6 17:40:55 17:40:55.573514:CID-0:RT: find flow: table 0x4b65e228, hash 141371(0x3ffff), sa 123.123.156.81, da 123.123.156.83, sp 60196, dp 80, proto 6, tok 12
 
Oct  6 17:40:55 17:40:55.573536:CID-0:RT: flow fast tcp/udp session id 13
 
Oct  6 17:40:55 17:40:55.573548:CID-0:RT:  tcp seq check.
 
Oct  6 17:40:55 17:40:55.573556:CID-0:RT:  post addr xlation: %i???->%i???.
 
Oct  6 17:40:55 17:40:55.573563:CID-0:RT:  post addr xlation: 123.123.156.81->192.168.0.98.
 
Oct  6 17:40:55 17:40:55.573575:CID-0:RT:mbuf 0x4991d780, exit nh 0x40010

The output looks like traffic is being permitted properly and forwarded with correct address translations. I am curious of the reply from 192.168.0.98 back to 123.123.156.81 is seen. Can you also add another flow traceoption packet-filter to capture all traffic from source-prefix 192.168.0.98/32?

-Richard

Sorry for the inconvenience, the config is ok.

My client-setup was incorrect. I forgot to set the gateway-ip in the config of one client.

Everything is working - thanks 😉

Hi,

Just out of curiosity..where is the zone junos-global defined in config? Is it a default zone?