SRX Services Gateway
Highlighted
SRX Services Gateway

SRX NAT internal routing issue side effect.

‎05-23-2016 03:57 AM

A few weeks ago, I posted an issue whereby internal users in the trust zone couldn't access servers also in the trust zone that had static NAT set up in the untrust zone using public url or ip address. See original post below.

 

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-NAT-Routing-internal-issue/m-p/291379#M40794

 

I also have a DMZ where I have a few servers and will be in time transitioning as many servers as I can from the trust to the dmz. However our Name Servers for our domains are in the dmz. Since doing the above if I make a request to an internal resource from outside (so at home or starbucks) the domain name is resolving to the internal IP address. I've check the name servers and they are configured corretly all dns records are public IP addresses. domain testing and nslookup's confirm this.

 

Anyone got any ideas I can provide config if needed.

 

Regards,

Aaron

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: SRX NAT internal routing issue side effect.

‎05-23-2016 07:11 PM

Hello Aaron ,

 

I have seen a similar case when using Static NAT , but once I changed to Destination NAT , it worked perfrectly . It may be an issue with DNS and static NAT . Can you try changing this to destination NAT and see if you are getting the correct IP for the DNS .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
SRX Services Gateway

Re: SRX NAT internal routing issue side effect.

‎05-27-2016 03:02 PM

Sounds like the DNS doctoring ALG may be active on the device and updating records automatically.

 

Try explicitly turning this off and test if the behaviour changes.

set security alg dns disable

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback