SRX Services Gateway
SRX Services Gateway

Persistent NAT brick wall

‎02-21-2015 06:21 PM

I'm hitting a brick wall trying to get persistent nat working between an SRX210 11.4R10.3

 

EX3300 connected to GE-0/0/1 on the SRX with FE-0/0/2 connected to Linux host.

 (EX 5.5.5.1)  - (5.5.5.2 SRX 10.1.207.254) - (10.1.207.100 Linux)

 

Normal networking is fine, I can ssh and wget the EX interface from the Linux host and it creates the entry in the persistent nat table:

 

root@WarehouseA> show security nat source persistent-nat-table all
     Internal                        Reflective                  Source     Type             Left_time/  Curr_Sess_Num/  Source
 In_IP          In_Port I_Proto Ref_IP          Ref_Port R_Proto NAT Pool                    Conf_time   Max_Sess_Num    NAT Rule
10.1.207.100    *       *      5.5.5.3         *         *        p-nat      any-remote-host   268/300      0/30          1

 

Problem is, when I try to connect from the EX to the Linux box on the reflexive address 5.5.5.3, it doesn't reverse the NAT.

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:<5.5.5.1/55719->5.5.5.3/22;6> matched filter in:

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:packet [64] ipid = 36760, @423dcb1e

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x423dc900, rtbl_idx = 0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  ge-0/0/1.0:5.5.5.1/55719->5.5.5.3/22, tcp, flag 2 syn

Feb 22 02:00:54 02:00:54.077394:CID-0:RT: find flow: table 0x489229c8, hash 50616(0xffff), sa 5.5.5.1, da 5.5.5.3, sp 55719, dp 22, proto 6, tok 6

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  flow_first_create_session

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 5.5.5.3, sp 55719, dp 22

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:persistent-nat outgoing policy search from zone TRUST-> zone UNTRUST

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:Policy lkup: vsys 0 zone(7:TRUST) -> zone(6:UNTRUST) scope:0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:             10.1.207.100/0 -> 5.5.5.1/65535 proto 6

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:             10.1.207.100/0 -> 5.5.5.1/65535 proto 6

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 5.5.5.3(22)

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 5.5.5.1, x_dst_ip 5.5.5.3, in ifp ge-0/0/1.0, out ifp N/A sp 55719, dp 22, ip_proto 6, tos 0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:Doing DESTINATION addr route-lookup

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  packet dropped, no route to dest

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:flow_first_routing: DEST route-lookup failed, dropping pkt and not creating session nh: 0

Feb 22 02:00:54 02:00:54.077394:CID-0:RT:  flow find session returns error.

Feb 22 02:00:54 02:00:54.077394:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 Here are the relevant config sections

root@WarehouseA> show configuration interfaces

ge-0/0/1 {
    unit 0 {
        family inet {
            address 5.5.5.2/24;
        }
    }
}
fe-0/0/2 {
    unit 0 {
        family inet {
            address 10.1.207.254/24;
        }
    }
}

root@WarehouseA> show configuration security
flow {
    traceoptions {
        file flow-debug world-readable;
        flag basic-datapath;
        packet-filter ping {
            protocol icmp;
        }
        packet-filter in {
            destination-prefix 5.5.5.3/32;
        }
        packet-filter out {
            destination-prefix 5.5.5.1/32;
        }
    }
}
nat {
    source {
        pool p-nat {
            address {
                5.5.5.3/32;
                5.5.5.4/32;
            }
            port no-translation;
        }
        rule-set internet {
            from zone TRUST;
            to zone UNTRUST;
            rule 1 {
                match {
                    source-address 10.1.207.0/24;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            p-nat;
                            persistent-nat {
                                permit any-remote-host;
                                address-mapping;
                            }
                        }
                    }
                }
            }
        }
    }
    proxy-arp {
        interface ge-0/0/1.0 {
            address {
                5.5.5.3/32;
                5.5.5.4/32;
            }
        }
    }
}
policies {
    from-zone TRUST to-zone UNTRUST {
        policy trust-to-untrust-internet {
            match {
                source-address warehouse-server;
                destination-address any;
                application [ junos-http junos-https junos-ftp junos-ssh junos-ping ];
            }
            then {
                permit;
                log {
                    session-close;
                }
            }
        }
    }
    policy-rematch;
}
zones {
    security-zone UNTRUST {
        host-inbound-traffic {
            system-services {
                ike;
                ntp;
            }
        }
        interfaces {
            ge-0/0/1.0;
        }
    }
    security-zone TRUST {
        interfaces {
            fe-0/0/2.0;
        }
    }
}

 All the routes are there:

0.0.0.0/0          *[Static/5] 1w0d 09:49:00
                    > to 5.5.5.1 via ge-0/0/1.0
5.5.5.0/24         *[Direct/0] 1w0d 09:49:00
                    > via ge-0/0/1.0
5.5.5.2/32         *[Local/0] 1w0d 09:49:04
                      Local via ge-0/0/1.0
5.5.5.3/32         *[Static/1] 05:39:10
                      Discard
5.5.5.4/32         *[Static/1] 00:51:06
                      Discard
10.1.207.0/24      *[Direct/0] 1w0d 09:49:01
                    > via fe-0/0/2.0
10.1.207.254/32    *[Local/0] 1w0d 09:49:04
                      Local via fe-0/0/2.0

 

 

I've checked the examples at these pages:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-persistent-NAT/td-p/141471

 

http://www.blackhole-networks.com/SRXNAT/snat_persist.html

 

http://blog.inetsix.net/2014/05/junos-cone-nat-srx/

 

Any ideas?

 

3 REPLIES 3
SRX Services Gateway

Re: Persistent NAT brick wall

‎02-22-2015 02:00 AM

this will work only if there is/was a session going out from linux host with source port 22.

 

Persistent NAT will open only open source port used by the source.

e.g.

If you have following connection from linux host to some IP address outside

PRE-NAT  10.1.207.100/61111 -> 1.1.1.1/22

POST-NAT 5.5.5.3/54444 -> 1.1.1.1/22

 

In that case following connection is allowed with 'any-host' :

 

*/*(any/any) ->  5.5.5.3/54444

 

With target-host

 

1.1.1.1/*(any port) -> 5.5.5.3/54444

 

With target-hot-port

 

1.1.1.1/22 -> 5.5.5.3/54444

 

 

I hope this helps...

 

 

regards,
Avd
JNCIE-SEC #320

Please Mark My Solution Accepted if you think it helped!
SRX Services Gateway

Re: Persistent NAT brick wall

‎02-22-2015 02:14 AM

Your response is correct but...

 

with this option added

address-mapping;

 it should open up the connection on any port as shown in the linked pages. 

Highlighted
SRX Services Gateway

Re: Persistent NAT brick wall

‎02-22-2015 03:46 AM

It was the inside->out security policy matching the source port of my outside connections coming in  Smiley Mad

 

To test target -host, I tried curl --local-port 2000 from Linux to the EX to generate the entry with reflexive port 2000, and opened apache to port 2000 and that worked doing telnet from the EX to port 2000. I had to open the policy as I only had SSH previously.

 

I then found any-host started working and the only difference was changing the application match to any.