SRX Services Gateway
Highlighted
SRX Services Gateway

Problem with destination NAT

[ Edited ]
‎09-20-2014 12:00 PM

Hi,

I don't understand why SPC-1 rule don't work:

pool RDP-HOST {
address 10.16.138.44/32;
}
pool SPC-HOST {
address 10.16.138.41/32;
}
rule-set NAT-RULE {
from zone zone-500;
rule RDP-1 {
match {
source-address [ 1.1.1.1/32 2.2.2.2/32 ];
destination-address 9.9.9.9/32;
destination-port 3389;
}
then {
destination-nat pool RDP-HOST;
}
}
rule SPC-1 {
match {
source-address [ 1.1.1.1/32 2.2.2.2/32 3.3.3.3/32 ];
destination-address 9.9.9.9/32;
destination-port 443;
}
then {
destination-nat pool SPC-HOST;
}
}
}

i can connect to 9.9.9.9 by RDP but could not  by HTTPS.

14 REPLIES 14
SRX Services Gateway

Re: Problem with destination NAT

‎09-21-2014 05:54 AM

Do you have a matching security policy that permits the traffic?

 

The nat rules only perform the address translation, you still need a security permit rule in place.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Problem with destination NAT

[ Edited ]
‎09-21-2014 07:36 AM

yes, i have policy. 

Here it is : 

from-zone zone-500 to-zone zone-700 {
policy RDP {
match {
source-address any;
destination-address RDP;
application any;
}
then {
permit;
}
}
policy SPC {
match {
source-address any;
destination-address SPC;
application any;
}
then {
permit;
}
}
}

 

here is part of traceoptions:

 

Sep 19 18:30:46 17:34:02.1150526:CID-01:FPC-02: PIC-00:THREAD_ID-13:RT: Doing DESTINATION addr route-lookup

Sep 19 18:30:46 17:34:02.1150557:CID-01:FPC-02: PIC-00:THREAD_ID-13:RT: routed (x_dst_ip 10.16.138.41) from zone-500 (reth2.500 in 2) to reth1.700, Next-hop: 10.16.138.41

Sep 19 18:30:46 17:34:02.1150596:CID-01:FPC-02: PIC-00:THREAD_ID-13:RT: policy search from zone zone-500-> zone zone-700 (0x110,0x9bcf01bb,0x1bb)

Sep 19 18:30:46 17:34:02.1150685:CID-01:FPC-02: PIC-00:THREAD_ID-13:RT: app 58, timeout 1800s, curr ageout 20s

SRX Services Gateway

Re: Problem with destination NAT

‎09-21-2014 10:51 AM

Hi,

 

Configuration looks good and flow trace confirms that session is getting filed for 443 and packet is correctly getting routed to the https server.

 

Check the following:

 

1. servers default gateway ( should be pointing to srx like RDP device.

2. are you able to access https server from the internal PC's?

 

If the default gateway is correct then share the following details:

 

1. show security flow session destination-port 443

2. move the order of nat rule ( first https and then RDP ) and check https is working or not

 

If the Https is working after moving the nat rule , then it could a Junos code issue.

 


Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Problem with destination NAT

‎09-22-2014 04:24 AM

Hi,

default gateway is correct and i can connect to https server from the internal PC's.

i changed order nat rule ( first https and then RDP )  but still can not connect to https server =(

 

Output of show security flow session destination-port 443 :

Flow Sessions on FPC0 PIC1:

 

Session ID: 10067670, Policy name: RDP/5, State: Active, Timeout: 16, Valid
In: 3.3.3.3/48164 --> 9.9.9.9/443;tcp, If: reth2.500, Pkts: 2, Bytes: 104
Out: 10.16.138.41/443 --> 3.3.3.3/48164;tcp, If: reth1.700, Pkts: 0, Bytes: 0
Total sessions: 3

Flow Sessions on FPC1 PIC0:
Total sessions: 0

Flow Sessions on FPC1 PIC1:

Session ID: 50065850, Policy name: RDP/5, State: Active, Timeout: 16, Valid
In: 3.3.3.3/48165 --> 9.9.9.9/443;tcp, If: reth2.500, Pkts: 2, Bytes: 104
Out: 10.16.138.41/443 --> 3.3.3.3/48165;tcp, If: reth1.700, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC0:

Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

SRX Services Gateway

Re: Problem with destination NAT

‎09-22-2014 04:48 AM
Session ID: 50065850, Policy name: RDP/5, State: Active, Timeout: 16, Valid
In: 3.3.3.3/48165 --> 9.9.9.9/443;tcp, If: reth2.500, Pkts: 2, Bytes: 104
Out: 10.16.138.41/443 --> 3.3.3.3/48165;tcp, If: reth1.700, Pkts: 0, Bytes: 0
Total sessions: 1

 Note that the packet count for the return traffic from server to the client is zero. 

 

As rparthi notes, this generally means you have a routing problem from the server back to the source ip address of 3.3.3.3.  That is why he is asking about your default gateway and the like.

 

Run a traceroute on the server to the source address 3.3.3.3 and see what network path this takes.  I suspect this will die at a particular hop and you will find there is no route to your source address on this router.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Problem with destination NAT

‎09-22-2014 05:14 AM

Hi ,


From this output ,

 

Out: 10.16.138.41/443 --> 3.3.3.3/48164;tcp, If: reth1.700, Pkts: 0, Bytes: 0 <<<<<<<

 

Reply packet count is 0. that means SRX did not receive the reply packets from the https server.

 

Interestingly from the following session:

 

In: 3.3.3.3/48164 --> 9.9.9.9/443;tcp, If: reth2.500, Pkts: 2, Bytes: 104 <<<<<<<<< count 2>>>>

 

Check whether any asymetric routing happens for this traffic.

 

Capture the packets on the server to see if SYN request from 3.3.3.3 is reaching the server and whether server is replying to it.

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

SRX Services Gateway

Re: Problem with destination NAT

‎09-22-2014 05:44 AM

This is traceroute log:

tracert 3.3.3.3
traceroute to 3.3.3.3 (3.3.3.3), 30 hops max, 40 byte packets
1 (10.16.138.1) 0.596 ms 0.535 ms 0.533 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *

 

I don't understand. Why does it happen?

traceroute from SRX:

traceroute 3.3.3.3
traceroute to 3.3.3.3 (3.3.3.3), 30 hops max, 40 byte packets
1 9.9.9.1 (9.9.9.1) 3.824 ms 8.802 ms 10.215 ms
2 y.y.y.y (y.y.y.y) 4.145 ms 3.554 ms 2.569 ms
3 z.z.z.z (z.z.z.z) 3.220 ms 2.931 ms 3.295 ms

There are routing-options static in SRX:

routing-options static route 0.0.0.0/0 next-hop 9.9.9.1

 

There are security policy :

set security policies from-zone zone-700 to-zone zone-500 policy rule-700 match source-address any
set security policies from-zone zone-700 to-zone zone-500 policy rule-700 match destination-address any
set security policies from-zone zone-700 to-zone zone-500 policy rule-700 match application any
set security policies from-zone zone-700 to-zone zone-500 policy rule-700 then permit

 

Why?

 

 

SRX Services Gateway

Re: Problem with destination NAT

‎09-22-2014 05:55 AM

Hi

 

is the server (10.16.138.41) connected directly to SRX network or is there any router inbetween?

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Problem with destination NAT

[ Edited ]
‎09-22-2014 01:48 PM

No routers, only switches. 

SRX Services Gateway

Re: Problem with destination NAT

‎09-23-2014 02:56 PM

What device has this address where your server trace route stops

10.16.138.1

 

I assume this is the default gateway for the server correct?

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Problem with destination NAT

‎09-25-2014 02:20 AM

this is address of reth1.700 interface and it is defalt gateway for server.
It is management network. I think, i found where were problem - interface fxp0 has address 10.16.138.40 and routing table looks like:
show route best 10.16.138.0

inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.16.138.0/24 *[Direct/0] 2w1d 02:28:34
                          > via fxp0.0
                          [Direct/0] 22:44:23
                          > via reth1.700

 

it is not right, isn't it?

SRX Services Gateway

Re: Problem with destination NAT

‎09-25-2014 04:02 AM

Hi Alex,

 

yes , routing table does not look correct.

 

10.16.138.0/24 *[Direct/0] 2w1d 02:28:34
                          > via fxp0.0
                          [Direct/0] 22:44:23
                          > via reth1.700

 

FXP0 and Reth1.700 should not be in same subnet.

 

so because of it , reply packets from the server is sent to SRX by FXP0 instead of Reth1.700

 

2 options:

 

1, disable fxp0 and test it

2. or change the network for FXP0 interface

 

or

3, Put the Reth1.700 in a custom routing instance.

 


Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: Problem with destination NAT

‎09-27-2014 06:19 AM

I agree with  rparthi, the overlapping routes are the root cause here.

 

You will need to have a look at the network design and determine which interface is the correct owner for this subnet then make a change on the other interface.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Problem with destination NAT

‎10-16-2014 03:22 AM

Hi! Sorry for later answer, my account was blocked.

the problem was in the design of the network. I made one AE interface on the switch and some of the traffic from the switch fell into the ports SRX cluster that were on the passive node. 

Now i made one more AE interface and everything ok!