SRX Services Gateway
Highlighted
SRX Services Gateway

New Destination NAT Rules stay inactive

‎07-12-2018 04:47 PM

Hi Guys ,

 

I just joined this company with multiple sites, the 2 offices have Juniper SRX110 and the rest have Netcomm routers. Coming from Cisco background I'm just learning Junos as per request basis on our Network. We recently had an issue with our phone system ( between main office( JuniperSRX110-1)and remote branch ( NetcommNVF4-1), and as per our VOIP Provider requested, I've added ports to be opened on NAT destination rules. The problem is, all the nat rules I've created after commiting them stays inactive. I replicated the config on whats on the other office (SRX110-2)that has no issue with another site (NVF4-2) but stil no luck with this. Please share your expertise on this isssue. Configs below. 

####################################################

nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool pbx {
address 10.190.1.20/32;
}
pool voip_http {
address 10.190.1.22/32 port 80;
}
pool voip {
routing-instance {
default;
}
address 10.190.1.22/32;
}
pool pbx-http {
address 10.190.1.20/32 port 80;
}
rule-set dst-nat {
from zone untrust;
rule voip-http {
match {
destination-address 0.0.0.0/0;
destination-port {
13024;
}
protocol tcp;
}
then {
destination-nat {
pool {
voip_http;
}
}
}
}
rule pbx-1720 {
match {
destination-address 0.0.0.0/0;
destination-port {
1720;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
rule pbx-5060 {
match {
destination-address 0.0.0.0/0;
destination-port {
5060;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
rule pbx-5588 {
match {
destination-address 0.0.0.0/0;
destination-port {
5588;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-6254 {
match {
destination-address 0.0.0.0/0;
destination-port {
6254;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7000 {
match {
destination-address 0.0.0.0/0;
destination-port {
7000 to 7015;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7100 {
match {
destination-address 0.0.0.0/0;
destination-port {
7100 to 7115;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule pbx-7300 {
match {
destination-address 0.0.0.0/0;
destination-port {
7300 to 7315;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
inactive: rule voip-9000 {
match {
destination-address 0.0.0.0/0;
destination-port {
9000 to 9015;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
inactive: rule voip-9100 {
match {
destination-address 0.0.0.0/0;
destination-port {
9100 to 9115;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
inactive: rule voip-9300 {
match {
destination-address 0.0.0.0/0;
destination-port {
9300 to 9315;
}
}
then {
destination-nat {
pool {
voip;
}
}
}
}
rule pbx-http {
match {
destination-address 0.0.0.0/0;
destination-port {
13023;
}
}
then {
destination-nat {
pool {
pbx-http;
}
}
}
}
rule pbx-all {
match {
destination-address 0.0.0.0/0;
destination-port {
6000 to 9315;
}
protocol udp;
}
then {
destination-nat {
pool {
voip;
}
}
}
}
rule pbx-7000-all {
match {
destination-address 0.0.0.0/0;
destination-port {
7000 to 7315;
}
}
then {
destination-nat {
pool {
pbx;
}
}
}
}
}
}
}

###########################################################################################

root@> show security nat destination summary
Total pools: 4
Pool name                   Address                                Routing              Port                      Total
                                        Range                                  Instance                                         Address
pbx                                10.190.1.20 - 10.190.1.20                                  0                            1
voip_http                     10.190.1.22 - 10.190.1.22                                  80                          1
voip                               10.190.1.22 - 10.190.1.22    default                  0                           1
pbx-http                        10.190.1.20 - 10.190.1.20                                  80                         1

Total rules: 7
Rule name                    Rule set              From              Action
voip-http                       dst-nat                    untrust     voip_http
pbx-1720                      dst-nat                     untrust       pbx
pbx-5060                      dst-nat                     untrust       pbx
pbx-5588                      dst-nat                     untrust       pbx
pbx-http                        dst-nat                     untrust      pbx-http
pbx-all                           dst-nat                    untrust       voip
pbx-7000-all dst-nat untrust pbx

 

##########################################################

These rules are not showing on the NAT Destination Table 

voip-9300

voip-9100

pbx-7300

pbx-7100

pbx-7000

pbx-6254

 

 

 

 

Thanks in advanced .

MudK

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: New Destination NAT Rules stay inactive

‎07-12-2018 04:58 PM

What happens if you try to activate the rules?

activate security nat destination rule-set dst-nat rule pbx-6254

activate security nat destination rule-set dst-nat rule pbx-7000

activate security nat destination rule-set dst-nat rule pbx-7100

activate security nat destination rule-set dst-nat rule pbx-7300

activate security nat destination rule-set dst-nat rule voip-9000

activate security nat destination rule-set dst-nat rule voip-9100

activate security nat destination rule-set dst-nat rule voip-9300

commit

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author anghang
‎07-12-2018 05:45 PM

Re: New Destination NAT Rules stay inactive

‎07-12-2018 05:45 PM

Thank you  , you're the man!! Solved ,its working now. Thanks again. 

Feedback