SRX Services Gateway
Highlighted
SRX Services Gateway

Debugging/Static NAT

‎11-14-2014 03:37 AM

I am kind of new to working on Junos and am trying to configure a static NAT, which appears to be a lot different to configuring a MIP in ScreenOS. I am using the following config:

 

set security nat static rule-set rs1 from zone untrust set security nat static rule-set rs1 rule r1 match destination-address 1.1.1.200/32 set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32 set security address-book global address server-1 192.168.1.200/32 set security policies from-zone trust to-zone untrust policy permit-all match source-address server-1 set security policies from-zone trust to-zone untrust policy permit-all match destination-address any set security policies from-zone trust to-zone untrust policy permit-all match application any set security policies from-zone trust to-zone untrust policy permit-all then permit set security policies from-zone untrust to-zone trust policy server-access match source-address any set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1 set security policies from-zone untrust to-zone trust policy server-access match application anyset security policies from-zone untrust to-zone trust policy server-access then permit
 
It doesnt seem to be working for some reason. I cant see any traffic on any of the trafic logs that I have setup on the web interface and I have tried using trace options for basic-datapath and all and still cannot see any traffic. Normally if this was a ScreenOS device then I would do a flow debug and it would show me all of the traffic, even if the traffic was not crossing any zones, is there any other similar debug for Junos or any better way of debugging NAT?
 
Thanks,
Mark
 
3 REPLIES 3
Highlighted
SRX Services Gateway
Solution
Accepted by topic author markbwyr1
‎08-26-2015 01:27 AM

Re: Debugging/Static NAT

‎11-14-2014 08:43 AM

Hello there,

Are You using routing-instances?

If yes please add

 

set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32 routing-instance default

 - if Your private prefix is in the global table, or

 

set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32 routing-instance <table-name>

 - if Your private prefix is in a named routing-instance.

Then please re-test and report back.

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Debugging/Static NAT

‎11-17-2014 01:35 AM

I gave it a go, but it would not commit the changes, I get the following error:

 

[edit security nat static rule-set test rule r1 then static-nat prefix routing-instance]
  'routing-instance master'
    Virtual router must be defined under [routing-instances]
[edit security nat static rule-set test rule r1 then static-nat prefix routing-instance]
  'routing-instance master'
    Routing-instance must be defined
error: commit failed: (statements constraint check failed)

 

This is the output from the show route instance command:

 

 show route instance
Instance             Type
         Primary RIB                                     Active/holddown/hidden
master               forwarding
         inet.0                                          17/0/0
         inet6.0                                         2/0/0

__juniper_private1__ forwarding
         __juniper_private1__.inet.0                     7/0/0

__juniper_private2__ forwarding
         __juniper_private2__.inet.0                     0/0/1

__master.anon__      forwarding

 

Is master not a routing instance? Sorry I am new to Junos.

 

Thanks,

Mark

 

Highlighted
SRX Services Gateway

Re: Debugging/Static NAT

‎11-17-2014 01:23 PM

Hello,

It has to be "routing-instance default" (for GRT/Global ROute Table) or a named Virtual Router instance:

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/configuration-statement/security-ed...

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !