SRX Services Gateway
Highlighted
SRX Services Gateway

Destination NAT, SRX240, please help

[ Edited ]
01.19.10   |  
‎01-19-2010 11:53 AM

Guys, how does this config look?  Basically wanting to nat anything coming from my untrusted zone on ports 443 and 25 to a specific server in the trusted zone.  Heres the config:

 


destination {
    pool exchange-int {
        address 172.16.x.x/32 port 25;
    }
    pool Exchange-OWA {
        address 172.16.x.x/32 port 443;
    }
    rule-set exchange-rs {
        from interface reth1.0;
    }
    rule-set SMTP_TEST {
        from zone untrust;
        rule Exchange-SMTP {
            match {
                destination-address 1.1.1.1/32;
                destination-port 25;
            }
            then {
                destination-nat pool exchange-int;
            }
        }
    }

     rule-set OWA_TEST {
        from zone untrust;
        rule XCHANGE-OWA {
            match {
                destination-address 1.1.1.1/32;
                destination-port 443;
            }
            then {
                destination-nat pool Exchange-OWA;
            }
        }
    }
}

 

 

Heres my security policy from zone untrust to zone trust

 

policy exchange-pol {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-smtp;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}

policy exchange-owa {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-https;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
        count;
    }
}

 

So I am getting NAT translation hits, but nothing happens.  Nothing is logged under my security policies...its almost as if its natting, and then never hitting my security policies at all!?!? Any help is appreciated fellas (and gals!)

 

Thanks,

4 REPLIES
SRX Services Gateway

Re: Destination NAT, SRX240

[ Edited ]
01.19.10   |  
‎01-19-2010 12:42 PM

So my reth1.0 inter is programmed as say 1.1.1.1/29

When I try to configure proxy-arp I get this:

[edit security nat proxy-arp interface reth1.0]
  'address 1.1.1.1/32'
    Proxy ARP IP address range [1.1.1.1 1.1.1.1] overlaps with interface IP address range [1.1.1.1 1.1.1.1] defined on interface 'reth1.0'
error: configuration check-out failed

Whats up with that?    I thought I followed the config doc exactly??

SRX Services Gateway

Re: Destination NAT, SRX240

01.19.10   |  
‎01-19-2010 01:28 PM

you only use proxy-arp if the nat address isn't in use elsewhere. otherwise, the srx already knows about the ip address and will arp for it. see other posts on the forum for arp (yes, i found them as well when hunting down why some nat's were not working -- too bad the documentation just has a single paragraph on proxy-arp at the end of the nat section, but the recent appnote on nat is nice in showing how to use it).

SRX Services Gateway

Re: Destination NAT, SRX240

01.19.10   |  
‎01-19-2010 01:41 PM

So I have no real need to turn on proxy-arp here because I have the natted outside address (reth1.0) assigned to that interface?  If this is so...thanks for the prompt response.

SRX Services Gateway

Re: Destination NAT, SRX240

01.19.10   |  
‎01-19-2010 02:11 PM

yes, if the address is already in use (like reth1.0), no need to put in the proxy-arp command.