SRX Services Gateway
Highlighted
SRX Services Gateway

Local to public ip mapping in srx300

[ Edited ]
‎01-21-2019 04:04 AM

I have openvpn in my lan and want to route that machine with public, i have tried static / destination nat. I am able to connect my internal lan via openvpn with public ip but i can't do ssh to any machine in lan,  i can only ping to internal lan from outside
 
My static Nat

root@rt #show security nat static

rule-set rs1 {
    from zone Internet;
    rule r1 {
        match {
            destination-address 10.2.3.4/32;
        }
        then {
            static-nat {
                prefix {
                    192.168.50.21/32;
                }
            }
        }
    }
}

[edit]

root@rx# show security nat proxy-arp

interface ge-0/0/0.0 {
    address {
        10.2.3.4/32;
    }
}

[edit]

root@srx# show security policies from-zone Internet to-zone Internal

policy All_Internal_Internet {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
policy permit-all {
    match {
        source-address ov-server;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
root@srx# show security policies from-zone Internet to-zone Internal
policy ov-access {
    match {
        source-address any;
        destination-address ov-server;
        application any;
    }
    then {
        permit;
    }
}

[edit]

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Local to public ip mapping in srx300

‎01-22-2019 11:13 PM

Hi, ssswp

 

I am trying to better understand your scenario.

 

You have established a VPN across the SRX (not terminated on the SRX) to connect from the internet to the LAN behind the SRX. Is this correct?

 

Whats the SSL terminating device inside the LAN?

 

The host you are able to ping is located on the LAN and is accesible via the VPN that was established across the SRX?

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: Local to public ip mapping in srx300

‎01-23-2019 02:37 AM

Since you are terminating a vpn behind the SRX your security policies show above are likely not the ones you want.  The traffic from zone will be the address pool you have on your open vpn server for the clients and the to zone will be the internal resources you want the connection to access.

 

the path from untrust to internal will only be the encrypted tunnel itself from the remote client to the open vpn server.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Local to public ip mapping in srx300

‎02-06-2019 10:33 PM

Hi,

 

If you're able to do ping then probally you need to reduce tcp-mss or check if security policy is not denying SSH traffic.