SRX Services Gateway
Highlighted
SRX Services Gateway

SRX NAT/Routing internal issue

‎05-05-2016 10:11 AM

So I am in the process of replacing my organisations SSG's with SRX's. Mostly configured ok all was working however I seem to be having some very strange routing issues unleast I think its a routing problem.

 

I've created zones, assigned interfaces to zones, set up address books, set up static nat for internal resources, set up policies and create proxy arp entries for static nat.

 

Externally everything works as it should user enters URL dns resolves to IP goes through nat, policy etc all is fine.User gets resource access.

Internally users can get out to internet and everything is fine until they try and access an internal resource using the external url for a few resources this is required

 

Internally if I ping an external IP I get a reply from the firewall internal interface not the behaviour I would expect. I would expect the packet to be dropped as the policy only allows http and https requests. If it was allowed I would expect the response from the server not the firewall.

Iif I do a http or https request to the same IP (or using the url) I get nothing I did a packet capture on the firewall I see the incoming http request but no reply nothing after that.

 

The IP range for these particular servers are in the same zone as the LAN rather then the DMZ. I have wondered if that was the issue but that is how they were configured on the SSG. Apart from that I can't see any problems. I'm going to reboot the firewall about midnight, hopefully that will resolve our problems. But it won't give me answers.

 

Another solution would be to set up our external dns internally pointing to internal IP's, but I would rather resolve this properly.

 

Thanks for all your help in advanced. See config attached.

 

Regards,

Aaron

Attachments

1 REPLY 1
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Aaron.Charles.Hall
‎05-12-2016 08:35 AM

Re: SRX NAT/Routing internal issue

‎05-05-2016 10:37 PM

Hi ,

 

If I understand your description correctly, The following KB should help you .

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17448&smlogin=true&actp=search

 

 

Regards,
Pradeep 2xJNCIE(SEC/ENT)
Feedback