SRX Services Gateway
Highlighted
SRX Services Gateway

NAT on multiple network interfaces on server removes internet!

‎01-21-2018 05:15 PM

So i just figured out what i have been running into for several days now

 

I have a virtual server that i have 4 virtual network interfaces on.

Each of the virtual interfaces have ip from dhcp server on juniper srx

everything works fine, routing is great on the vps and i can reach internet and all that

 

 

NOW when i setup NAT so that i can map public ip address to each of the private ip addresses from the virtual network interfaces on the vps, then no more internet!!!

This is weird and am just happy i was able to troubleshoot it to this point

 

How did i know this? 

Well i noticed i  have internet on the vps with the 4 network interfaces until i enabled NAT so that i can map public ip to private ip on each of the 4 network interfaces and boom no more internet. So i removed the NAT and then internet came back instantly.

 

 

So my question is what do i do here? Hos cna i have NAT to map public ip to private ip on a server with multiple interfaces to still have internet. And yes the NAT works. So i can telnet to the public ips on the bind ports but the vps can not get to the internet.

 

 

Will appreciate help on this. Will be forever grateful anyone that can pint me to what i need to do.

5 REPLIES 5
SRX Services Gateway

Re: NAT on multiple network interfaces on server removes internet!

‎01-22-2018 02:20 AM

To confirm that the session, nat and policy you want are correctly applying run this command on the SRX during an attempt to access the nat and policy from the outside.

 

show security flow session source-prefix 1.1.1.1

 

This gives the key to reading how the nat is working what policy is being used.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21719

 

Once you verify you are doing the desired nat and hitting the correct policy follow these steps to gather data on the session.

 

If using destination nat

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21839

 

Bear in mind here that the private address of the server is not changed with destination nat you still need a source nat rule somewhere for this to occur.

 

If using static nat

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21892

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: NAT on multiple network interfaces on server removes internet!

‎01-22-2018 03:33 AM

this one will be tough for me to troubleshoot as i am not great with junos like that

I can post my code here and you can see what i am doing wrong

 

   nat {
        source {
            rule-set nsw_srcnat {
                from zone [ Internal Internal2 ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            inactive: rule-set dyn-vpn-ruleset {
                from zone Internet;
                to zone Internal;
                rule rule1 {
                    match {
                        source-address 10.5.0.0/16;
                    }
                    then {
                        source-nat {
                            pool {
                                dyn-pool;
                            }
                        }
                    }
                }
            }
        }
        static {
            rule-set ruleset1 {
                from zone Internet;
                rule rule1 {
                    match {
                        destination-address 145.10.5.100/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.5.1.7/32;
                            }
                        }
                    }
                }
                rule rule2 {
                    match {
                        destination-address 145.10.5.101/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.5.1.53/32;
                            }
                        }
                    }
                }
                rule rule3 {
                    match {
                        destination-address 145.10.5.102/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.5.1.64/32;
                            }
                        }
                    }
                }
                rule rule4 {
                    match {
                        destination-address 145.10.5.103/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.5.1.61/32;
                            }
                        }
                    }
                }

            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    145.10.5.100/32;
                    145.10.5.101/32;
                    145.10.5.102/32;
                    145.10.5.103/32;                               
                }
            }
        }
    }
    policies {
            from-zone Internet to-zone Internal {
                policy policy1 {
                    match {
                        source-address any;
                        destination-address 10.5.1.7/32;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy2 {
                    match {
                        source-address any;
                        destination-address 10.5.1.53/32;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy3 {
                    match {
                        source-address any;
                        destination-address 10.5.1.64/32;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy4 {
                    match {
                        source-address any;
                        destination-address 10.5.1.61/32;
                        application any;
                    }
                    then {
                        permit;
                    }
                } 
                policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
        }
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal2 to-zone Internal {
            policy policy1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internal2 {
            policy policy1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal2 {
            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal2 to-zone Internet {
            policy All_Internal2_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address 10.5.1.7/32 10.5.1.7/32;
                address 10.5.1.53/32 10.5.1.53/32;
                address 10.5.1.64/32 10.5.1.64/32;
                address 10.5.1.61/32 10.5.1.61/32;
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ssh;
                            ike;
                            ping;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internal2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.2;
            }
        }
    }
}               

SRX Services Gateway

Re: NAT on multiple network interfaces on server removes internet!

‎01-23-2018 02:30 AM

This inactive rule is incorrect from zone to zone and is not necessary because static nat takes care of both destination and source nat.  You can delete this.

rule-set dyn-vpn-ruleset 

 The static nat rules look correct.

 

I assume that interface ge-0/0/0 has an ip address subnet that includes these proxy arp ranges and is therefore correct.

interface ge-0/0/0.0 {
                address {
                    145.10.5.100

Policies are the correct zones and addresses.  But policy uses address objects so you will need to create address objects for each ip address.  You can then use these directly in your policy or put them into an address set and create one policy with that address set instead.

 

  destination-address 10.5.1.7/32;

https://www.juniper.net/documentation/en_US/junos/topics/example/zone-address-book-configuring-cli.h...

 

You should also consider changing the any application into only those you really need to expose to the internet.  And if they are different for each server then keep them as separate policy with the minimum ports exposed.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: NAT on multiple network interfaces on server removes internet!

[ Edited ]
‎01-23-2018 04:04 PM

"But policy uses address objects so you will need to create address objects for each ip address.  You can then use these directly in your policy or put them into an address set and create one policy with that address set instead.

 

  destination-address 10.5.1.7/32;

https://www.juniper.net/documentation/en_US/junos/topics/example/zone-address-book-configuring-cli.h...

 "

Yes the interface ge-0/0/0 is /27 so icnludes the ips for the proxy arps (by the way i have ge-0/0/0 and not ge-0/0/0.0 , is that ok or i do need the 0.0 instead of just 0 at the end?)

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 145.10.5.100/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }

Yes From above, i do not see how to set destination-address for my current configuration

 

Do you mind providing an example from the code i posted that shows how and where the destination-address part should look like? I use the CLI editor so that way i can just edit and make changes for all the static NATs i have using the example template you provide.

 I just want to map the addresses and open all ports, i will use firwall on OS to block ports.

 

Thanks a lot.

Will really appreciate it

SRX Services Gateway

Re: NAT on multiple network interfaces on server removes internet!

‎01-24-2018 02:34 AM

I work via the cli with set commands and don't easily have a way to accurately reproduce that format.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home