Routing

Source NAT is translating, but dropping everything attempting to access the outside. Two DHCP pools in their own VRF, each using a different public IP. Clients can connect, but can't get outside.

Can't figure this out for the life of me. Please help!

Security Section:

alg {
    dns disable;
    ftp disable;
    h323 disable;
    mgcp disable;
    msrpc disable;
    sunrpc disable;
    rsh disable;
    rtsp disable;
    sccp disable;
    sip disable;
    sql disable;
    talk disable;
    tftp disable;
    pptp disable;
}
flow {
    inactive: traceoptions {
        file debugfile size 1m files 5;
        flag basic-datapath;
        packet-filter pf1 {
            protocol tcp;
            source-prefix 10.30.0.0/16;
        }
    }
}
nat {
    source {
        pool Vendors {
            routing-instance {          
                Vendors_VRF;
            }
            address {
                x.x.x.154/32;
            }
        }
        pool Guests {
            routing-instance {
                Guests_VRF;
            }
            address {
                x.x.x.158/32;
            }
        }
        rule-set vendors-nat {
            from zone vendor-internal;
            to zone vendor-external;
            rule vendor-source-nat {
                match {
                    source-address 10.20.0.0/16;
                    application any;
                }
                then {
                    source-nat {
                        pool {
                            Vendors;
                        }
                    }
                }                       
            }
        }
        rule-set guests-nat {
            from zone guests-internal;
            to zone guests-external;
            rule guest-source-nat {
                match {
                    source-address 10.30.0.0/16;
                    application any;
                }
                then {
                    source-nat {
                        pool {
                            Guests;
                        }
                    }
                }
            }
        }
    }
}
policies {
    from-zone vendor-internal to-zone vendor-external {
        policy vendor-external {
            match {
                source-address any;
                destination-address any;
                application any;
            }                           
            then {
                permit;
            }
        }
    }
    from-zone guests-internal to-zone guests-external {
        policy guest-external {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    default-policy {
        permit-all;
    }
}
zones {
    security-zone mgmt {
        interfaces {
            irb.803 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }                   
                    protocols {
                        all;
                    }
                }
            }
        }
    }
    security-zone wireless {
        interfaces {
            irb.450 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
    security-zone vendor-internal {
        interfaces {
            irb.453 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {         
                        all;
                    }
                }
            }
        }
    }
    security-zone vendor-external {
        interfaces {
            irb.451 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
    security-zone guests-internal {
        interfaces {
            irb.454 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;            
                    }
                }
            }
        }
    }
    security-zone guests-external {
        interfaces {
            irb.452 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }
}

Routing Instances:

Guests_VRF {
    instance-type virtual-router;
    system {
        services {
            dhcp-local-server {
                group guests-dhcp {
                    interface irb.454;
                }
            }
        }
    }
    access {
        address-assignment {
            pool guestsWifi {
                family inet {
                    network 10.30.0.0/16;
                    range guestWifi {   
                        low 10.30.0.1;
                        high 10.30.255.254;
                    }
                    dhcp-attributes {
                        name-server {
                            64.39.128.3;
                            64.39.128.4;
                        }
                        router {
                            10.30.1.1;
                        }
                    }
                    excluded-address 10.30.1.1;
                    excluded-address 10.30.255.254;
                }
            }
        }
    }
    interface irb.452;
    interface irb.454;
    routing-options {
        static {
            route 10.30.0.0/16 next-hop x.x.x.157;
        }
    }
}
Vendors_VRF {
    instance-type virtual-router;
    system {                            
        services {
            dhcp-local-server {
                group vendors-dhcp {
                    interface irb.453;
                }
            }
        }
    }
    access {
        address-assignment {
            pool vendorWifi {
                family inet {
                    network 10.20.0.0/16;
                    range vendorWifi {
                        low 10.20.0.1;
                        high 10.20.255.254;
                    }
                    dhcp-attributes {
                        name-server {
                            64.39.128.3;
                            64.39.128.4;
                        }
                        router {
                            10.20.1.1;
                        }
                    }
                    excluded-address 10.20.1.1;
                    excluded-address 10.20.255.254;
                }                       
            }
        }
    }
    interface irb.451;
    interface irb.453;
    routing-options {
        static {
            route 10.20.0.0/16 next-hop x.x.x.153;
        }
    }
}

show security nat source rule all

Total rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: vendor-source-nat      Rule-set: vendors-nat
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : vendor-internal
  To zone                    : vendor-external
  Match
    Source addresses         : 10.20.0.0       - 10.20.255.255
    Application              : configured
  Action                        : Vendors
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 603436
    Successful sessions      : 592241
    Failed sessions          : 11195
  Number of sessions         : 2
source NAT rule: guest-source-nat       Rule-set: guests-nat
  Rule-Id                    : 3
  Rule position              : 2
  From zone                  : guests-internal
  To zone                    : guests-external
  Match
    Source addresses         : 10.30.0.0       - 10.30.255.255
    Application              : configured
  Action                        : Guests
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 2199
    Successful sessions      : 2199
    Failed sessions          : 0
  Number of sessions         : 13

As for a network map:

1. 4200
   1. SRX300 
   2. 1. WLC
      2. 2200
         1. Wireless Mesh Network

Hello,

I see that Vendors come to SRX300 on irb.453 and Guests come on irb.454. On same interfaces, address assignment also happens as per configuration.

Are irb.451 and irb.452 part of another VR or inet.0?

Do you have route leaking properly configured between routing-instances for reverse direction flow?

You can take 'security flow traceoptions' with proper packet-filter (to match the traffic) to see where the packet is getting dropped.

Regards,

Rushi

I've completely removed the virtual-routers from the equation to try and simplify this and figure it out as quickly as possible, but you were probably right about the route leaking back into inet.0.

Here is security nat source, now:

pool Vendors {
    address {
        x.x.x.154/32;
    }
}
pool Guests {
    address {
        x.x.x..158/32;
    }
}
rule-set nat-rules {
    from zone trust;
    to zone untrust;
    rule vendor-nat {
        match {
            source-address 10.20.0.0/16;
            application any;
        }
        then {
            source-nat {
                pool {
                    Vendors;
                }
            }
        }
    }
    rule guest-nat {
        match {
            source-address 10.30.0.0/16;
            application any;            
        }
        then {
            source-nat {
                pool {
                    Guests;
                }
            }
        }
    }
}

and the zones (been simplying things): vlan 450 is the APs and 803 is management

security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        irb.803;
        irb.450;
        irb.453;
        irb.454;
    }
}
security-zone untrust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        irb.451;
        irb.452;
    }
}            

Policy is basic from zone trust to zone untrust permit all.

Showing translation hits with * run show security nat source pool all && run show security flow session nat

Still can't ping externally.

Hello,

You can enable security flow traceoptions as per your test traffic and provide the output here.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21757&actp=METADATA

Regards,

Rushi

One of our senior engineers was finally able to get in touch with me. Turns out all we needed was:

rule-set host-nat-vendor {          
        from zone junos-host;
        to zone vendor-untrust;
        rule host-vendor {
            match {
                source-address 10.20.0.0/16;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    rule-set host-nat-guest {
        from zone junos-host;
        to zone guest-untrust;
        rule host-guest {
            match {
                source-address 10.30.0.0/16;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }

Also, we moved everything back into VRFs.

ping 8.8.8.8 source 10.20.1.1 routing-instance Vendors_vrf

now works!

I still don't fully understand why that worked. If anybody has an explanation, I would appreciate it, or I'll just pick his brain when he returns.

Thanks for your help! Though I shouldn't speak too soon. They'll be needing those connections working tomorrow morning.