SRX 240 and source nat

last person joined: 12 hours ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX 240 and source nat

Jump to Best Answer

1. SRX 240 and source nat

0 Recommend
Erdem
Posted 10-19-2011 23:18

Reply Reply Privately
Hi, all.

I have SRX240 and some routed local networks (wich not directly attached to SRX). So, I have to make source nat, but still no luck.

Scheme: LocalNet 10.17.17.0/24 ---- LOCALROUTER (10.1.1.2)---- (net 10.1.1.0/24) ---- (10.1.1.1)SRX240 ----(external net x.x.x.x/24)

My config:

interfaces { ge-0/0/0 { unit 0 { family inet { address x.x.x.2/24; } } } ge-0/0/14 { gigether-options { 802.3ad ae0; } } ge-0/0/15 { gigether-options { 802.3ad ae0; } } ae0 { description link-to-c4507R; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ vlan18-p2p ]; } } } } vlan { unit 18 { family inet { address 10.1.1.1/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop x.x.x.1; route 10.17.17.0/24 next-hop 10.1.1.2; } } security { nat { source { rule-set TRUST-UNTRUST-NAT { from zone trust; to zone untrust; rule NAT-RULE { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.18; } } security-zone untrust { host-inbound-traffic { system-services { ssh; } } interfaces { ge-0/0/0.0; } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } } vlans { vlan18-p2p { vlan-id 18; l3-interface vlan.18; } }

So, when I trying to ping some outside host - I see record in NAT table (for example):

Session ID: 4555, Policy name: trust-to-untrust/6, Timeout: 58, Valid
In: 10.17.17.23/62058 --> 8.8.8.8/53;udp, If: vlan.18, Pkts: 1, Bytes: 71
Out: 8.8.8.8/53 --> x.x.x.2/51831;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 527

I see, that request was sent from host behind nat and arrived to destination outside host. Destination host is answer for request, but "that answer" not coming back. Why? What wrong?

Sorry my bad english and thx for your answers.
2. RE: SRX 240 and source nat

0 Recommend
michel.tepper
Posted 10-20-2011 07:49

Reply Reply Privately
It seems ok on the 240, so look at the internal router or receiving host!

3. RE: SRX 240 and source nat

Recommend

Erdem

Posted 10-20-2011 22:18

It strange.

I reset the configuration to default. Some changes:

interfaces {
    interface-range interfaces-trust {
        member ge-0/0/1;
        member ge-0/0/2;
        member ge-0/0/3;
        member ge-0/0/4;
        member ge-0/0/5;
        member ge-0/0/6;
        member ge-0/0/7;
        member ge-0/0/8;
        member ge-0/0/9;
        member ge-0/0/10;
        member ge-0/0/11;
        member ge-0/0/12;
        member ge-0/0/13;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address x.x.x.2/24;
            }
        }
    }
    ge-0/0/14 {
        gigether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/15 {
        gigether-options {
            802.3ad ae0;
        }
    }
    ae0 {
        description link-to-c4507r;
        aggregated-ether-options {
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members vlan18-p2p;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 18 {
            family inet {
                address 10.1.1.1/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop x.x.x.1;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.18;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ssh;
                        }

                    }
                }
            }
        }
    }

    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
    vlan18-p2p {
        vlan-id 18;
        l3-interface vlan.18;
    }
}

I trying to ping outside host from JUNIPER by different sources:

root# run ping 8.8.8.8 source 192.168.1.1
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=205.625 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=147.717 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=245.566 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max/stddev = 147.717/199.636/245.566/40.171 ms

and

root# run ping 8.8.8.8 source 10.1.1.1
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

As you see - from source vlan.18 I cannot ping. May be problem in aggregated interface?

4. RE: SRX 240 and source nat

0 Recommend
p.k
Posted 10-21-2011 00:35

Reply Reply Privately
Hi

Can you try a ping from LOCALROUTER (10.1.1.2) ?
I think that local traffic just does not go through NAT, that's why a ping is lost.

Also, do you have a [chassis aggregated-devices device-count] setting?
5. RE: SRX 240 and source nat

0 Recommend
Erdem
Posted 10-21-2011 01:33

Reply Reply Privately
>Can you try a ping from LOCALROUTER (10.1.1.2) ?

Yes I can. Local router is pingable.

> I think that local traffic just does not go through NAT, that's why a ping is lost.

In my last message I tried to ping outside host FROM JUNIPER DEVICE. I run the command directly from the SRX and result made me stuck.

When I make command ping 8.8.8.8 source 192.168.1.1 (interface vlan.0 in juniper) all fine, host is pingable.

When I make command ping 8.8.8.8 source 10.1.1.1 (interface vlan.18 in juniper) there is no reply.

I changed the configuration and remove ae0 interface (interface ge-0/0/15 in trunk mode):

ge-0/0/15 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members vlan18-p2p; } } } }

and still no luck: I CAN ping from source 192.168.1.1 and CANNOT ping from source 10.1.1.1
6. RE: SRX 240 and source nat
Best Answer

0 Recommend
p.k
Posted 10-21-2011 07:13

Reply Reply Privately
Hi

Regarding the local router, what I meant was: can you log in to it and ping
hosts in the internet form it?

But actually, it surprises me that you can ping 8.8.8.8 with source = 192.168.1.1
because in this case NAT should not be applied (from my understanding -
just because it is a locally generated traffic, it will not use your NAT
rules and policies).

Can you initiate a ping from 192.168.1.1 to 8.8.8.8 and show me a
"show security flow session" output for these sessions (erase your public ip,
if it will be there)?

Also please can you post your full config, as it is now.

SRX

SRX 240 and source nat

Erdem10-19-2011 23:18

michel.tepper10-20-2011 07:49

Erdem10-20-2011 22:18

p.k10-21-2011 00:35

Erdem10-21-2011 01:33

p.k10-21-2011 07:13Best Answer

1. SRX 240 and source nat

2. RE: SRX 240 and source nat

3. RE: SRX 240 and source nat

4. RE: SRX 240 and source nat

5. RE: SRX 240 and source nat

6. RE: SRX 240 and source nat Best Answer

6. RE: SRX 240 and source nat
Best Answer