SRX Services Gateway
Highlighted
SRX Services Gateway

Cannot contact own untrust subnet from internal zone

[ Edited ]
Tuesday

Hello,

 

i have a SRX340 and the problem that i cannot contact our own external subnet on the untrust interface.

I have attached a short screen for better explanation.

 

2020-03-24_17h08_05.png

 

I have for each ZONE-X to UNTRUST a SOURCE NAT.

From UNTRUST to ZONE-X, i have specific STATIC NAT rules.

 

So all traffic from UNTRUST site can reach this STATIC NAT. So this is working fine for me.

Problem for me is that i cannot reach the IP on the STATIC NAT from an internal zone(ZONE-X).

For example i have a static nat rule: 123.456.789.10 -> 192.168.4.10 (ZONE4)

Now an client from ZONE1 wants to contact the IP 123.456.789.10. He is not able todo that.

 

What i tried and found is something with hairpinning?!

Dont know if this is the solution for my problem?

I also tried and added the ZONE1 as "FROM ZONE" to the STATIC NAT rule.

Is this right? But for that i also need to create a firewall rule from ZONE1 to ZONE4 to work.

Is this the best way?

 

I am coming from old netscreen days. On that platform i only need to disable the source nat from ZONE1 to UNTRUST and it works for the own subnet. I also tried that without success.

 

Hope somebody has an idea for that problem.

I hope that i do not need to create special rules for each STATIC NAT rule so that internal zone can also reach it.

Makes it a little bit complex Smiley Wink

 

regards,

Frank

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Cannot contact own untrust subnet from internal zone

Wednesday

You will need to create both a policy and a destination nat rule from zone1 to zone4 for this internal nat communications.  The destination nat rules are all based on the final translated address not the original public ip address.  So once both the destination nat and policy are in place the communications will complete.

SRXnat.png

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Cannot contact own untrust subnet from internal zone

[ Edited ]
Wednesday

Hi lordlamer

 

You need to apply a Destination NAT from ZONE-X that translates 123.456.789.10 to 192.168.4.10 so users in ZONE-X can send traffic to 123.456.789.10 and end up accessing 192.168.4.10. Example for ZONE5:

 

set security nat destination pool [POOL] address 192.168.4.10/32

set security nat destination rule-set [RULE-SET] from zone ZONE5
set security nat destination rule-set [RULE-SET] rule [RULE] match destination-address 123.456.789.10
set security nat destination rule-set [RULE-SET] rule [RULE] then destination-nat pool [POOL]

 

Aso it is needed a security-policy permitting this traffic between ZONE-X and ZONE4. The SRX will take care of the reverse traffic Smiley Wink

 

set security polcies from-zone ZONE5 to-zone ZONE4 policy [POLICY] match source-adress [SOURCE_ADDRESS_BOOK(192.168.5.0/24)]
set security polcies from-zone ZONE5 to-zone ZONE4 policy [POLICY] match destination-adress [DESTINATION_ADDRESS_BOOK (192.168.4.10/32)]
set security polcies from-zone ZONE5 to-zone ZONE4 policy [POLICY] match application [APPLICATION]
set security polcies from-zone ZONE5 to-zone ZONE4 policy [POLICY] then permit

 

 

Please mark my answer as the Solution if it applies.