Thank you! I had two issues, one was my interface ge0/0/1.7 was in the wrong zone, and also I did:
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.7;
}
which now allows me to ping the interface, but not route out to the internet 😕
When I look at traceoptions it seems it's not really trying to map to the public IP (I guess)?
May 22 01:49:25 01:49:25.936483:CID-0:RT: in_ifp <20:ge-0/0/1.7>
May 22 01:49:25 01:49:25.936483:CID-0:RT:setting rtt to:0x657cc050 based on VR ID:0 carried over in flow ctxt, proto 2(ipv4)
May 22 01:49:25 01:49:25.936483:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x657cc050
May 22 01:49:25 01:49:25.936483:CID-0:RT: jsf reinj: ctxt flag 0 sess 614180704232 src pid 28 reinj flag 6
May 22 01:49:25 01:49:25.936483:CID-0:RT:host inq check inq_type 0x6
May 22 01:49:25 01:49:25.936483:CID-0:RT: flow session id 380904
May 22 01:49:25 01:49:25.936483:CID-0:RT:flow_xlate_pak
May 22 01:49:25 01:49:25.936483:CID-0:RT: post addr xlation: 10.20.0.181->8.8.8.8.
May 22 01:49:25 01:49:25.936483:CID-0:RT: post addr xlation: 10.20.0.181->8.8.8.8.
The weird part is that the post port xlation seems to start at 10.20.0.x and increments, I'm not sure what's happening:
May 22 01:57:24 01:57:23.944281:CID-0:RT:Doing DESTINATION addr route-lookup
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_ipv4_rt_lkup success 1.2.3.1, iifl 0x54, oifl 0x48
May 22 01:57:24 01:57:23.944281:CID-0:RT: routed (x_dst_ip 1.2.3.1) from 20 (ge-0/0/1.7 in 0) to ge-0/0/0.0, Next-hop: 1.2.3.1
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_first_policy_search: policy search from zone 20-> zone untrust (0x0,0x1d12d2,0x12d2)
May 22 01:57:24 01:57:23.944281:CID-0:RT:Policy lkup: vsys 0 zone(18:20) -> zone(8:untrust) scope:0
May 22 01:57:24 01:57:23.944281:CID-0:RT: 10.20.0.3/2048 -> 1.2.3.1/53036 proto 1
May 22 01:57:24 01:57:23.944281:CID-0:RT: app 0, timeout 60s, curr ageout 60s
May 22 01:57:24 01:57:23.944281:CID-0:RT: permitted by policy permit-all(8)
May 22 01:57:24 01:57:23.944281:CID-0:RT: packet passed, Permitted by policy.
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_first_src_xlate: incoming src port is : 29.
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 2/4, pst_nat: False.
May 22 01:57:24 01:57:23.944281:CID-0:RT: dip id = 4/0, 10.20.0.3/29->10.20.0.29/24921 protocol 1
May 22 01:57:24 01:57:23.944281:CID-0:RT: choose interface ge-0/0/0.0(P2P) as outgoing phy if
May 22 01:57:24 01:57:23.944281:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 1.2.3.1, rtt_idx:0
May 22 01:57:24 01:57:23.944281:CID-0:RT:-jsf : Alloc sess plugin info for session 618475332531
May 22 01:57:24 01:57:23.944281:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
May 22 01:57:24 01:57:23.944281:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
May 22 01:57:24 01:57:23.944281:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 618475332531, impli mask(0x0), post_nat cnt 0 svc req(0x0)
May 22 01:57:24 01:57:23.944281:CID-0:RT:-jsf : no plugin interested for session 618475332531, free sess plugin info
May 22 01:57:24 01:57:23.944281:CID-0:RT:[JSF]Releasing plugin info blocks
May 22 01:57:24 01:57:23.944281:CID-0:RT:flow_first_service_lookup(): natp(0x56e712f8): app_id, 0(0).
May 22 01:57:24 01:57:23.944281:CID-0:RT: service lookup identified service 0.
May 22 01:57:24 01:57:23.944281:CID-0:RT: flow_first_final_check: in <ge-0/0/1.7>, out <ge-0/0/0.0>
So here's my NAT setup:
nat {
source {
pool src-nat-pool20 {
address {
10.20.0.10/32 to 10.20.0.249/32;
}
}
rule-set 20 {
from zone 20;
to zone untrust;
rule 20rule {
match {
source-address 10.20.0.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool20;
}
}
}
}
static {
rule-set untrust-to-20 {
from zone untrust;
rule 20rule {
match {
destination-address 1.2.3.5/32;
}
then {
static-nat {
prefix {
1.2.3.5/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
1.2.3.2/32;
1.2.3.4/32;
1.2.3.5/32;
}
}
}