SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 550 - NAT

‎03-28-2019 01:10 PM

Hi!


I am trying to configure a static nat for my secondary assigned IPs  (200.200.200.64/27) which were routed to my primary IP (200.200.200.44) by my isp.

The outbound is working but the inbound is not. I feel I must be missing something obvious but I think I opened up everything via policies and on the zones. Any help would be appreciated!

Relevant configuration sections:

    nat {
        static {
            rule-set mgmt {
                from zone Internet;
                rule mgmt {
                    match {
                        destination-address-name 200.200.200.66;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.20.10.66/32;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone Trust {
            policy ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
        from-zone Trust to-zone Internet {
            policy All_Trust_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone Trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 200.200.200.44/29;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }

    vlan {
        unit 1 {
            family inet {
                address 10.20.10.1/24;
            }
        }

    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 200.200.200.41;
        route 10.20.10.0/24 next-hop 10.20.10.1;
    }
}

vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
    
}
7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 01:27 PM

Do you have an address book entry named 200.200.200.66? If not, I would suggest using 'destination-address 200.200.200.66/32' instead of destination-address-name which looks for entries in the address book.

 

user@fw# ... rule-set wan cso match destination-?
Possible completions:
> destination-address  Destination address
> destination-address-name  Address from address book

--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 01:38 PM

Hello, thanks for answering, I did actually have the address in the address book but I changed it anyway and it looks like this now:

 

     static {
            rule-set mgmt {
                from zone Internet;
                rule mgmt {
                    match {
                        destination-address 200.200.200.66/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.20.10.6/32;
                            }
                        }
                    }
                }
            }

Unfortunately, still not working.

Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 01:50 PM

Could you please share output from 'show security nat static rule all' ?

 

and can you confirm that you can access the internal host on the relevant port/service? Maybe just confirm that ping is working from the SRX to 10.20.10.6

 


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 01:57 PM

Here it is:

Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: mgmt                   Rule-set: mgmt
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : Internet
  Destination addresses      : 200.200.200.66
  Host addresses             : 10.20.10.6
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 1292
    Successful sessions      : 85
    Failed sessions          : 1207
  Number of sessions         : 1

Ping works from the SRX to 10.20.10.6

and 10.20.10.6 is fully accessible when connected to the dynamic VPN configured on the SRX.

Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 04:44 PM

Try enabling packet tracing to see where in the packet processing steps the inbound packets are being dropped. Try something like this: 

 

set security flow traceoptions file TEST
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter TEST destination-prefix 200.200.200.0/24

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 04:55 PM

Also, why do you have this static route? 

route 10.20.10.0/24 next-hop 10.20.10.1;

You should have a direct route for 10.20.10/24 via vlan.1, with a better preference so it shouldn't matter, but I was curious.  

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Highlighted
SRX Services Gateway

Re: SRX 550 - NAT

‎03-28-2019 07:45 PM

Yasmin!! Thanks to your suggestion I was able to see the error:

Mar 28 21:32:03 21:32:03.122183:CID-0:RT: app 0, timeout 60s, curr ageout 60s

Mar 28 21:32:03 21:32:03.122183:CID-0:RT:flow_first_policy_search: VPN firstpath permit check failed

Mar 28 21:32:03 21:32:03.122183:CID-0:RT: packet dropped, VPN firstpath permit check failed.

 

After doing some research, the VPN seemed to be the culprit. Once I deleted the dynamic VPN, the inbound traffic started working.

I think I have to do a route based VPN instead but that will be tomorrow's hurdle.

 

Regarding your other question about the static route, I thought I needed it. I have removed it.

Thank you so much for your advice!