SRX Services Gateway
Highlighted
SRX Services Gateway

SRX DESTIONATION NAT (PROXY ARP?)

‎03-27-2019 06:56 PM

THE INTERNET /28 & /32 ---------------(untrust public interface)SRX(ADMIN_DMZ)--------------INTERNAL_SERVER

 

Im having an issue configuring destination NAT, if someone can give a hand it'd be greatly appreciated.

 

A public /28 and /32 needs to connect to our internal address of 10.132.6.128/32 on port 22 from a public address that is not an address of the untrust zone of the SRX. The address on ADMIN_DMZ is also a public address.

 

THE INTERNET /28 & /32 ----------(untrust public 72.x.x.x)SRX(65.x.x.x ADMIN_DMZ)---------INTERNAL_SERVER (10.132.6.128/32)

 

I get a few translation hits but they're all failed sesssions. The policy from the untrust to ADMIN_DMZ has the correct source, destination and ports. I've also got proxy-arp, which I believe is needed after reading something on a few forums.

 

 

SRX# show security nat destination
pool dnat {
    address 10.132.6.128/32 port 22;
}
rule-set dst-nat {
    from zone untrust;
    rule rule1 {
        match {
            destination-address 65.x.x.x./32;
            destination-port {
                22;
            }
        }
        then {
            destination-nat {
                pool {
                    dnat;
SRX# show security policies from-zone untrust to-zone ADMIN_DMZ policy 63100
match {
    source-address [ auditor officeip ];
    destination-address auditor-rfc;
    application [ cp-40814 junos-ping junos-ssh ];
}
then {
    permit;

	
SRX# show security address-book | display set | match auditor
set security address-book global address auditor-1 65.x.x.x/32
set security address-book global address auditor-2 69.x.x.x/28
set security address-book global address-set auditor address auditor-1
set security address-book global address-set auditor address auditor-2

SRX# show security address-book | display set | match auditor-rfc
set security address-book global address auditor-rfc 10.132.6.128/32

 

SRX# run show security nat destination rule rule1
node0:
--------------------------------------------------------------------------
Destination NAT rule: rule1                  Rule-set: dst-nat
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
    Destination addresses    : 65.x.x.x   - 65.x.x.x
    Destination port         : 22              - 22
  Action                     : dnat
  Translation hits           : 11
    Successful sessions      : 0
    Failed sessions          : 11
  Number of sessions         : 0
SRX# show security nat proxy-arp
interface reth0.22 {
    address {
        65.x.x.x/32;
    }
}
3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX DESTIONATION NAT (PROXY ARP?)

‎03-27-2019 07:04 PM

Ideally you dont need proxy ARP here as this segment (HE INTERNET /28 & /32 ---------------(untrust public interface)SRX) is not falling under (65.x.x.x ADMIN_DMZ) subnet.

 

Are you able to access 65.x.x.x from internet, like a ping or something? If so, can you share the"show security flow session destination-prefix 65.x.x.x) ? This will help us to confirm the traffic flow directions

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX DESTIONATION NAT (PROXY ARP?)

‎03-27-2019 09:37 PM

Hi there,

 

Proxy arp is ONLY needed when you want to receive traffic for an IP which is not configured on the ingress interface but falls in the same subnet.

 

e.g. 

Let interface address be 1.1.1.1/24 and you want to receive traffic for 1.1.1.10 . In this case, we will need a proxy-arp so that next-hop devices can forward traffic to this interface.

 

But if you are trying to receive a traffic for 2.2.2.10 on the interface 1.1.1.1/24 , you would NOT need proxy-arp. Rather you will need some routing protocol to export this route to your next hop so that they can forward it to you.

 

Coming back to your issue, I think the sessions are NOT failing due to NAT. They are failing because of the reverse route look up.

 

When the traffic arrives to your device on untrust interface , it is trying to access 65.x.x.x/32 which is being translated to 10.132.6.128/32.

 

But when the SRX looks up the return route, it would find that the 65.x.x.x subnet belongs to ADMIN_DMZ zone but the traffic originally arrived on untrust zone. This will cause the session to fail.

 

My potential solution will be to write a specific static route to 65.x.x.x/32 pointing towards the Internet gateway 

 

OR

 

use a different IP from the subnet on the untrust interface.

 

Hopefully this will solve the problem.

 

Thanks!

 

 

Highlighted
SRX Services Gateway

Re: SRX DESTIONATION NAT (PROXY ARP?)

‎03-27-2019 09:46 PM

AFAIK, SRX will do reverse route lookup for the source IP, which is from internet and is reachable via untrust zone only. So I belive it may not be related to return route issue. But collecting traces can confirm this

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too