SRX Services Gateway
Highlighted
SRX Services Gateway

BT infinity with multiple static IP on SRX220

‎09-23-2014 02:20 AM

I have an SRX220 with BT Infinity, with the block of static IPs (a /29, sold as 5 IPs as their provided router takes up one if used). I previously had this setup working with a single static IP on the SRX, but have now upgraded this to the /29.

 

BT do it in a fairly weird way; they give one IP via DHCP which is unrelated to the /29, then route that /29 there. I have the new DHCP IP working, but can't put any services on it as it will change on every reboot, so I need to get the /29 working.

 

I followed this thread as much as I can, but it still isn't working and I'm not sure - probably a problem with proxy-arp, but OP in that thread didn't explain what he did to make it work.

 

interfaces {
...
    lo0 {
...
        unit 2 {
            family inet {
                address 81.x.x.x/29;
            }
        }
    }

    pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret blah;
                    local-name blah;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 5;
                client;
            }
            no-keepalives;
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
security {
    nat {
        static {
            rule-set bt {
                from interface pp0.0;
                rule 145 {                          
                    match {
                        destination-address 81.x.x.x/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.0.0.1/32;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface pp0.0 {
                address {
                    81.x.x.x/32;
                }
             }
        }
    }
}

I tried to add the whole /29 in one go, but then it complained about that with "Static NAT rule(1) error: host address doesn't have same mask as destination address." - as I want to nat different addresses to internal ones, I couldn't see another way around that other than adding all of the IPs separately, but that doesn't seem to work either.

10 REPLIES 10
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-23-2014 02:59 AM

A couple of things:

 

- Get rid of the loopback address - there is no need for this with DNAT

- Do you have an associated security policy that allows traffic through?  It will need to be  source 0.0.0.0/0, destination 10.0.0.1/32

- The proxy-arp can be configured for the entire /29 in one statement

 

Hope this helps

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-23-2014 03:48 AM

I have a security policy that will allow traffic; removing or adding the lo0 interface doesn't seem to change anything, except that without it, I can't ping the public IPs from the SRX (and I can't from anywhere else in either case). I think maybe proxy-arp isn't configured correctly here.

 

 

interface pp0.0 {
    address {
        81.x.x.x/29;
    }
}

 

Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-23-2014 04:33 AM

That's pretty much all there is to proxy-ARP, and being that this is a PPPoE interface (eg: point-to-point) I'm not sure that ARP is even going to get used here.

 

Can you show a censored version of your security policy, along with the interface to zone mappings of the pp0.0 interface and the interface that routes to 10.0.0.1?

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-23-2014 04:49 AM

In this case, 10.0.0.1 is the SRX; I am trying to get the additional IPs up before I then start NATing them to the right places internally.

 

Security policy:

 

policy ssh {
    match {
        source-address any-ipv4;
        destination-address ssh;
        application junos-ssh;
    }
    then {
        permit;
    }
}
policy webservices {
    match {
        source-address any;
        destination-address webservices;
        application [ junos-http junos-https ];
    }
    then {
        permit;
    }
}
policy ldap {
    match {
        source-address [ xxxxx ];
        destination-address xxxxx;
        application junos-ldap;
    }
    then {
        permit;
    }
}
policy mail {
    match {
        source-address any-ipv4;
        destination-address xxxxx;
        application junos-smtp;
    }
    then {
        permit;
    }
}
policy default-deny {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        deny;
    }
}

 

For zones, as I understand it, pp0.0 is implicitly in untrust, which hasn't been overridden anywhere.

Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-23-2014 04:57 AM

Okay that's probably your issue - I don't think sending it to the loopback is going to work because it's an on-box interface - if you pass the NATted traffic through to an internal host though you should be golden.

 

As for pp0.0 being implicitly in untrust, that's not a given unless it's in the config.  All the same try:

 

show interfaces pp0.0 | match Zone

 

from operational mode and confirm that.

 

Your security policies will need to be from untrust to the zone you put your internal host on.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

[ Edited ]
‎09-23-2014 05:06 AM

It shows pp0.0 as being in untrust. As for the IPs, I still need to have them on the SRX itself as at least one needs to be made into the gateway for normal clients behind NAT as the DHCP IP changes. Would there be any easy way to configure them as secondary IPs on the pp0 interface instead while still having the main IP be obtained via DHCP? If I undertand this correctly, making it another unit on pp0 wouldn't work as then it would expect to have another PPPoE session.

 

Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-29-2014 01:15 AM

I'm confused by your setup now..

 

Surely you would have your hosts with private IP addresses, then just NAT the public IPs through to the private ones?

 

That way, you don't need to change anything when the lease is renewed?

 

If you're NATting, there is no need to configure the addresses anywhere except proxy-arp (in some cases) and the NAT itself.

 

eg:

 

[BT]----untrust----[pp0.0][SRX][vlan.0]----trust---[host1]

pp0.0 - Address is dynamic

BT would route your static IPs towards pp0.0 address

You would configure proxy-arp on pp0.0 for the /29

You would configure Destination NAT (or Static NAT) from zone Untrust and map through to host1 on 10.0.0.1 you have in the trust zone on vlan.0 (or whatever you have on the trust side)

 

Is this correct, or am I missing something?

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

[ Edited ]
‎09-29-2014 05:15 AM

That sounds about right. pp0 comes up fine and gets a dynamic IP, which changes every time the modem is rebooted, and the static IP assignment gets routed there properly - I can reach external services with the assigned static IPs fine on the SRX (via ping/traceroute/telnet with the source and interface options), and can NAT them through to internal services behind the SRX on private IPs, but attempting to ping them from the WAN side doesn't work, even with proxy-arp set up for those IPs.

 

interfaces {
    ge-0/0/0 {
        mtu 1492;
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
...
    lo0 {
...
        unit 2 {
            family inet {
                address 81.x.x.x/32;
                address 81.x.x.x/32;
                address 81.x.x.x/32;
                address 81.x.x.x/32;
                address 81.x.x.x/32;
                address 81.x.x.x/32;
            }
        }
    } 
    pp0 {                               
        unit 0 {                        
            ppp-options {               
                chap {                  
                    default-chap-secret xxxxx
                    local-name xxxxx
                    passive;            
                }                       
            }                           
            pppoe-options {             
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;         
                auto-reconnect 5;       
                client;                 
            }                           
            no-keepalives;              
            family inet {               
                mtu 1492;               
                negotiate-address;      
            }                           
        }                               
    } 
}
security {
    nat {
        static {
            rule-set bt {               
                from interface pp0.0;   
                rule 146 {              
                    match {             
                        destination-address 81.x.x.146/32;
                    }                   
                    then {              
                        static-nat {    
                            prefix {    
                                10.0.7.149/32;
                            }           
                        }               
                    }                   
                }
                //similar rules for other public IPs       
            }                           
        } 
destination {
rule-set bt {
    from interface pp0.0;
rule 146 {                 
        match {                         
            destination-address-name 81.x.x.146;
        }                               
        then {                          
            destination-nat pool 10.0.7.149;
        }                               
    } 
} }
policies {
from-zone untrust to-zone trust {
   policy 146 {                      
        match {                         
          source-address any-ipv4;    
            destination-address 81.x.x.146;
            application [ junos-https junos-icmp-all ];
        }                               
        then {                          
            permit;                     
        }                               
    }  
}
}
} }

 

I'm not sure why ping into these IPs still doesn't work, while I think I have source NAT right (changing from interface to pool with the correct IP), but have to wait until out of hours to apply that. As far as I can see, ICMP should be allowed, but it still isn't being forwarded properly.

Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎09-29-2014 03:45 PM

This is expected behaviour:

 

Your NAT policy (whether it be static or source) will not come into effect for traffic sourced from the box - the traffic is originating from the "Self" zone, and a special interface called .local..0 - neither of which will match your NAT rule.

 

If ping doesn't work to hosts mapped through, then enable it as part of the security policy.

 

Hope this clears things up

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: BT infinity with multiple static IP on SRX220

‎01-14-2015 05:29 PM

I have a similar situation with a different ISP.  I have got NATTing to work fine, but I am not able to get incoming connections to work from untrust to trust.   eg  I need to get route based IPSEC VPN working as a hub on a static IP from the routed subnet.

 

 

Does anyone have a working example of this working?

Feedback