SRX Services Gateway
SRX Services Gateway

Cant connect Static NAT from inside from other zones

[ Edited ]
3 weeks ago

hi,

 

i have configured a static nat on our srx and mapped ine of the public ip to internal ip at the zone LAN.
On the srx there several zones configured and I cant reach that static nat public ip.

 

Zones are configured on on physical interface  ge-0/0/0.  Each zone is setup on diffrent vlan.

 

Zones:

security-zone GROSSE  ge-0/0/0.6

security-zone DEMO  ge-0/0/0.4

security-zone LAN ge-0/0/0.5

security-zone DMZ-QSC ge-0/0/0.2

 

 

Interfaces:

ge-0/0/0 {
vlan-tagging;
unit 2 {
vlan-id 2;
family inet {
address xxx.xxx.xxx.210/28;

 

unit 5 {
description LAN;
vlan-id 5;
family inet {
address 192.168.1.254/24;
}
}
unit 6 {
description GROSSE;
vlan-id 6;
family inet {
address 192.168.31.254/24;
}
}

 

 

show security nat static:
rule-set STATIC-3CX {
from zone untrust;
rule rule-static-3CX {
match {
destination-address xxx.xxx.xxx.212/32;
}
then {
static-nat {
prefix {
192.168.1.200/32;

}
}
}
}
}

 

I have tried this https://kb.juniper.net/InfoCenter/index?page=content&id=KB17448&cat=SRX_5800_1&actp=LIST

but it still not work from other zones.

 

waiting for some hints.

regards

ed

16 REPLIES 16
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

[ Edited ]
3 weeks ago

Hi Emeiler,

 

Can you please modify the static NAT context like the one specified below?

 

user@host# set security nat static rule-set STATIC-3CX from routing-instance default

user@host# commit

 

The above is just an assumption as I don't understand your question. Are you trying to access the Public IP address from the Internal zones(Multiple VLANs) and it needs to be translated using Static NAT to Private IP address? Is that your requirement?

 

Let me know the behavior.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Hi,

- Can you validate I am understanding your topology well? Here is a picture of what I am understand:

STATIC NAT QUESTION.png

- Can you provide the missing info, and the configuration of your security policies. 

- Also, can you tell me what is working and what is not?  What I understand is that from the untrust zone you can reach the server, but not from the other zones? 

- Do you have any other NAT rules? 

 

Regards,

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Hello Yasmin,

 

thank you for your reply.

 

Here are the missing data.

 

1. Zone Demo 192.168.11.0/24

 

2. Physical interface: ge-0/0/5, Enabled, Physical link is Up

Logical interface ge-0/0/5.0 (Index 85) (SNMP ifIndex 529)
Flags: Up SNMP-Traps 0x0 Encapsulation: PPP-over-Ethernet
PPPoE:

ip 83.xxx.xxx.204

 

3. Zone Untrust is untrust

 

If you need more info please let me know

 

regards

 

ed

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

[ Edited ]
3 weeks ago

Hi,

 

thank you for your reply.

 

We have diffrent internal zones. Pc's from all zones need to acces the static public ip to be able to use the voip.

Now only PC's from LAN (192.168.1.0/24) can access this static nat ip because the mapped address is assigned to the internal ip (192.168.1.200/32) from the LAN zone.

 

I will try your suggestion an let your know.

 

regards

 

ed

 

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Hi noobmaster,

 

the modification did not work out.

the problem still exists.

 

regards

Ed

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Can you tell me if you have any other NAT rules, and what your policies look like? 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Also, when devices on the other zones try to reach the server, are they using DA = 192.168.1.200 or DA = xxx.xxx.xxx.212? (I think I might know what's going on).

 

The best way to figure out problems with traffic flow in SRX is to use the packet trace (traceoption flag basic-datapath). That shows you the packet processing step by step (source NAT, policies, routing, and so on) and tells you where the process is failing.  I'll send you an example of how to do that later. 

 

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

[ Edited ]
3 weeks ago

Hi. 

 

here is the secure nat:

 

I have added as quick and dirty solution a secure policy between GROSSE and LAN and allow this way that the PC's from zone GROSSE can reach the mapped IP 192.168.1.200.

 

But this is just a solution until we know how to setup the correct way.

 

regards

 

ed

 

root@SRX300# show security nat


source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set NAT-RULESET {
from zone [ DEMO DMZX GROSSE HOME LAN NAT ];
to zone untrust;
rule NAT-RULESET-RULE {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust-to-trust {
from zone trust;
to zone trust;
rule rule-trust {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool EXCHANGE {
address 192.168.1.212/32 port 25;
}
pool EXCHANGE-HTTPS {
address 192.168.1.212/32 port 443;
}
pool VTIGER {
address 192.168.10.120/32 port 80;
}
pool GROSSE_RDP {
address 192.168.31.242/32 port 3389;
}
pool VTIGER_SSH {
address 192.168.10.120/32 port 60122;
}
pool dst-pool-GROSSE-mail {
address 192.168.31.242/32 port 3389;
}
pool dst-pool-3CX {
address 192.168.1.200/32;
}
rule-set EXCHANE {
from zone untrust;
rule SMTP {
match {
source-address 0.0.0.0/0;
destination-address 83.xxx.xxx.204/32;
destination-port {
25;
}
}
then {
destination-nat {
pool {
EXCHANGE;
}
}
}
}
rule HTTPS {
match {
source-address 0.0.0.0/0;
destination-address 83.xxx.xxx.204/32;
destination-port {
443;
}
}
then {
destination-nat {
pool {
EXCHANGE-HTTPS;
}
}
}
}
rule HTTP {
match {
source-address 0.0.0.0/0;
destination-address 83.xxx.xxx.204/32;
destination-port {
80;
}
}
then {
destination-nat {
pool {
VTIGER;
}
}
}
}
rule GROSSE_RDP {
match {
source-address 0.0.0.0/0;
destination-address 83.xxx.xxx.204/32;
destination-port {
3389;
}
}
then {
destination-nat {
pool {
GROSSE_RDP;
}
}
}
}
rule VTIGER_SSH {
match {
source-address 0.0.0.0/0;
destination-address 83.xxx.xxx.204/32;
destination-port {
60122;
}
}
then {
destination-nat {
pool {
VTIGER_SSH;
}
}
}
}
rule dst-rule-GROSSE-mail {
match {
source-address 0.0.0.0/0;
destination-address xxx.xxx.xxx.211/32;
destination-port {
3389;
443;
25;
}
}
then {
destination-nat {
pool {
dst-pool-GROSSE-mail;
}
}
}
}
rule dst-rule-3CS {
match {
source-address 0.0.0.0/0;
destination-address xxx.xxx.xxx.213/32;
destination-port {
5001;
5060;
5061;
5090;
9000 to 10999;
}
}
then {
destination-nat {
pool {
dst-pool-3CX;
}
}
}
}
}
rule-set dst-ruleset-LAN {
from zone LAN;
rule dst-rule-LAN-rdp {
match {
source-address 0.0.0.0/0;
destination-address 192.168.31.241/32;
destination-port {
3389;
}
}
then {
destination-nat {
off;
}
}
}
}
}
static {
rule-set STATIC-3CX {
from zone untrust;
rule rule-static-3CX {
match {
destination-address xxx.xxx.xxx.212/32;
}
then {
static-nat {
prefix {
192.168.1.200/32;
}
}
}
}
}
rule-set inbound {
from interface [ ge-0/0/0.5 ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 ];
rule rule-inbound {
match {
destination-address xxx.xxx.xxx.212/32;
}
then {
static-nat {
prefix {
192.168.1.200/32;
}
}
}
}
}
}

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

I can reach the  public xxx.xxx.xxx.212 or the internal ip ( 192.168.1.200) only from LAN ( 192.168.1.0/24)

From all other zones I cant reach the public xxx.xxx.xxx.212 or the internal ip ( 192.168.1.200)

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

Here is the log file:

____________________

 

 

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 12144, in hash 32

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 14227, in hash 32

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:jsf sess close notify

Aug 26 00:56:33 00:56:32.839174:CID-0:RT:flow_ipv4_del_flow: sess 12536, in hash 32

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:<192.168.9.27/61939->192.168.1.200/5001;6,0x0> matched filter pf1:

Aug 26 00:56:39 00:56:39.347189:CID-0:RTSmiley Tongueacket [64] ipid = 0, @0x43dce6a4

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43dce480, rtbl_idx = 0

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow process pak fast ifl 81 in_ifp ge-0/0/0.9

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: ge-0/0/0.9:192.168.9.27/61939->192.168.1.200/5001, tcp, flag c2 syn

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: find flow: table 0x523a0ca8, hash 54988(0xffff), sa 192.168.9.27, da 192.168.1.200, sp 61939, dp 5001, proto 6, tok 14, conn-tag 0x00000000

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow_first_create_session

Aug 26 00:56:39 00:56:39.347189:CID-0:RTSmiley Frustratedave init hash spu id 0 to nsp and nsp2!

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:First path alloc and instl pending session, natp=0x557b52d8, id=14597

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.9>, out <N/A> dst_adr 192.168.1.200, sp 61939, dp 5001

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: chose interface ge-0/0/0.9 as incoming nat if.

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.200(5001)

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 90194327813 implicit mask(0x0), service request(0x0)

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:-jsf : no plugin ingress interested for session 90194327813
Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.9.27, x_dst_ip 192.168.1.200, in ifp ge-0/0/0.9, out ifp N/A sp 61939, dp 5001, ip_proto 6, tos 0

Aug 26 00:56:39 00:56:39.347189:CID-0:RTSmiley Very Happyoing DESTINATION addr route-lookup

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.200, iifl 0x51, oifl 0x4d

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: routed (x_dst_ip 192.168.1.200) from HOME (ge-0/0/0.9 in 0) to ge-0/0/0.5, Next-hop: 192.168.1.200

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)

Aug 26 00:56:39 00:56:39.347189:CID-0:RTSmiley Tongueolicy lkup: vsys 0 zone(14:HOME) -> zone(8:LAN) scope:0

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

Aug 26 00:56:39 00:56:39.347189:CID-0:RTSmiley Tongueolicy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: app 33, timeout 1800s, curr ageout 20s

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: packet dropped, denied by policy

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: packet dropped, policy deny.

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_initiate_first_path: first pak no session

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: flow find session returns error.

Aug 26 00:56:39 00:56:39.347189:CID-0:RT:flow_proc_rc: -1.

Aug 26 00:56:39 00:56:39.347189:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Aug 26 00:56:40 00:56:40.350725:CID-0:RT:<192.168.9.27/61939->192.168.1.200/5001;6,0x0> matched filter pf1:

Aug 26 00:56:40 00:56:40.350725:CID-0:RTSmiley Tongueacket [64] ipid = 0, @0x43dc5ea4

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43dc5c80, rtbl_idx = 0

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow process pak fast ifl 81 in_ifp ge-0/0/0.9

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: ge-0/0/0.9:192.168.9.27/61939->192.168.1.200/5001, tcp, flag 2 syn

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: find flow: table 0x523a0ca8, hash 54988(0xffff), sa 192.168.9.27, da 192.168.1.200, sp 61939, dp 5001, proto 6, tok 14, conn-tag 0x00000000

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow_first_create_session

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_create_session: Found invalid sess. Start first path

Aug 26 00:56:40 00:56:40.350725:CID-0:RTSmiley Frustratedave init hash spu id 0 to nsp and nsp2!

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:First path alloc and instl pending session, natp=0x55756fa8, id=13855

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/0.9>, out <N/A> dst_adr 192.168.1.200, sp 61939, dp 5001

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: chose interface ge-0/0/0.9 as incoming nat if.

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.200(5001)

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(1)

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 90194327071 implicit mask(0x0), service request(0x0)

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:-jsf : no plugin ingress interested for session 90194327071
Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.9.27, x_dst_ip 192.168.1.200, in ifp ge-0/0/0.9, out ifp N/A sp 61939, dp 5001, ip_proto 6, tos 0

Aug 26 00:56:40 00:56:40.350725:CID-0:RTSmiley Very Happyoing DESTINATION addr route-lookup

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.200, iifl 0x51, oifl 0x4d

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: routed (x_dst_ip 192.168.1.200) from HOME (ge-0/0/0.9 in 0) to ge-0/0/0.5, Next-hop: 192.168.1.200

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)

Aug 26 00:56:40 00:56:40.350725:CID-0:RTSmiley Tongueolicy lkup: vsys 0 zone(14:HOME) -> zone(8:LAN) scope:0

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

Aug 26 00:56:40 00:56:40.350725:CID-0:RTSmiley Tongueolicy lkup: vsys 0 zone(5:global) -> zone(5:global) scope:0

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: app 33, timeout 1800s, curr ageout 20s

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, denied by policy

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, policy deny.

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_initiate_first_path: first pak no session

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: flow find session returns error.

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_proc_rc: -1.

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

The log is showing that the default-policy is denying the traffic.

 

That means the traffic is NOT matching the policy that is supposed to allow it.  Make sure that your policy matches on the correct source and destination address and port number (pre or post translation). 

 

NAT STEPS.png

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

[ Edited ]
3 weeks ago

Hi emeiler,

 

Your NAT is configured correctly, except for the traffic coming from LAN (I will explain later).

 

rule-set inbound {
from interface [ ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 ];
rule rule-inbound {
match {
destination-address xxx.xxx.xxx.212/32;
}
then {
static-nat {
prefix {
192.168.1.200/32;
}

 

With the above configuration traffic destined to xxx.xxx.xxx.212 and being received via interfaces ge-0/0/0.6 ge-0/0/0.9 ge-0/0/5.0 will be sent to 192.168.1.200. However your security-policies might be dropping the post translated traffic. At least it is the case with the traces that you uploaded:

 

Aug 26 00:56:40 00:56:40.350725:CID-0:RT:flow_first_policy_search: policy search from zone HOME-> zone LAN (0x0,0xf1f31389,0x1389)

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: 192.168.9.27/61939 -> 192.168.1.200/5001 proto 6

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: app 33, timeout 1800s, curr ageout 20s

Aug 26 00:56:40 00:56:40.350725:CID-0:RT: packet dropped, denied by policy

 

However, in these traces traffic is destined to 192.168.1.200 and not to the public IP. 

 

For the traffic to work properly please make sure you have a security-policy permitting the post natted traffic. For example, from zone GROSSE to zone LAN:

 

set security policy from zone GROSSE to zone LAN policy PERMIT match source-address GROSSE_SUBNET destination-adress xxx.xxx.xxx.212 application any

 

Try that and get the traces for this comunication to confirm if there is any other problem.

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

And your solution might actually be what you need. Here is what I think might be your problem and how it is typically solved. 

Picture5.png

Picture6.png

Regards,

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

many thanks you for your help.

You have sent me the securoty policy.  What will be the diffrence if I would make the destination address to the local IP?

set security policy from zone GROSSE to zone LAN policy PERMIT match source-address GROSSE_SUBNET destination-adress 192.168.1.200 application any

 I did it this way and it is working.

 

regards

 

e

SRX Services Gateway
Solution
Accepted by topic author emeiler
3 weeks ago

Re: Cant connect Static NAT from inside from other zones

3 weeks ago
Sorry actually you needed to specify the internal address as "destination-address". Destination NAT occurs before the security-policy processing hence if your PC sends packets to the public IP you need to make sure your policy has the internal IP as "destination-address" because by the time the packet is evaluated against the security-policy it will already have the internal address (post NAT).

I'm glad it worked
Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: Cant connect Static NAT from inside from other zones

3 weeks ago

thank you for your help