SRX Services Gateway
SRX Services Gateway

SRX320 filter base forwarding with Nat on routing instance issue

‎11-28-2018 08:28 AM

Dear all,
i need help in configuring SRX320 (15.1X49-D150) filter base forwarding with Nat on routing instance.

I have ISP1-via pp0.0 and ISP2- via ge-0/0/1(131.1.1.201) which connected to ADSL modem(131.1.1.200).
All port forwarding on the adsl modem goes to Ge-0/0/1 of the srx.

i need ip address(10.78.1.250) in the turst zone(Ge-0/0/2) to use directly ISP2.
Things goes well with the below commands in addition to to need policy and source nat from Trust to ISP2 for 10.78.1.250 using egress interface.

set interfaces ge-0/0/2 unit 0 family inet filter input webFilter
set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32
set firewall family inet filter webFilter term 1 then routing-instance webtraffic
set firewall family inet filter webFilter term 2 then accept
set routing-instances webtraffic instance-type forwarding
set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200
set routing-options interface-routes rib-group inet FBF-rib
set routing-options rib-groups FBF-rib import-rib inet.0
set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0

Above makes the ip address 10.78.1.250 successfully to use only ISP2.
Now i need Nat(port forwarding) from Internet to this ip address (10.78.1.250)
i make static nat also Destination nat from ISP2 zone or interface (Ge-0/0/1) then destination IP of Ge-0/0/2-(131.1.1.201) to internal prefix ip (10.78.1.250).

it doesnt work.
How can i make nat to work as explained above????

7 REPLIES 7
SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎11-28-2018 09:07 AM

Hi,

Please share your NAT configuration which is not working

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎11-30-2018 05:01 PM

Hi and thanks for your replay,

Please find below for the expained scenario:

 

We have all Trust users goes internet via ISP1(pp0.0) except one ip (10.78.1.250) must go via ISP2 (ge-0/0/1 connected to ADSL modem).

This done successfully using Filter Base forwarding as below- using forwarding instance-type.

 

set interfaces ge-0/0/2 unit 0 family inet filter input webFilter                      (ge-0/0/2=10.78.1.1=Trust)

set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32

set firewall family inet filter webFilter term 1 then routing-instance webtraffic

set firewall family inet filter webFilter term 2 then accept

set routing-instances webtraffic instance-type forwarding

set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200 (adsl modem)

set routing-options static route 0.0.0.0/0 next-hop pp0.0

set routing-options interface-routes rib-group inet FBF-rib

set routing-options rib-groups FBF-rib import-rib inet.0

set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0

set security nat source rule-set FB from zone Trust

set security nat source rule-set FB to zone ISP2

set security nat source rule-set FB rule R1 match source-address 10.78.1.250/32

set security nat source rule-set FB rule R1 match destination-address 0.0.0.0/0

set security nat source rule-set FB rule R1 then source-nat interface

 

The same ip (10.78.1.250) configured with static nat to allow traffic to it from ISP2.

Traffic comes to ADSL modem-->nat to SRX Ge-0/0/1(ISP2 zone). Static nat is configured from ISP2 zone then destination IP of Ge-0/0/1-(131.1.1.201) to internal prefix ip (10.78.1.250).

 

What needs to be modified to make the static nat works fine as below doesn’t work-(Needed Security policies configured too omitted)

 

set security nat static rule-set FB1 from zone ISP2

set security nat static rule-set FB1 rule ru1 match destination-address 131.1.1.201/32 (srx-ge-0/0/1port)

set security nat static rule-set FB1 rule ru1 match destination-port 134

set security nat static rule-set FB1 rule ru1 then static-nat prefix 10.78.1.250/32

set security nat static rule-set FB1 rule ru1 then static-nat prefix mapped-port 134

 

I tried also to configure the routing instance type as virtual router, also do the static nat from instance route instead of ISP2 zone but not worthy.

 

Can the instance-type configured as virtual-router and add to it the ISP2 port (ge-0/0/1) and static nat?? Without adding the Trust interface (ge-0/0/2)????

 

Thanks and Regard,

SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎12-01-2018 04:51 AM

I see that the address used for the server is not the same as the interface address but is in the same subnet.

131.1.1.201-- nat address

131.1.1.20--interace address

 

Is proxy arp enabled for the nat address on the SRX interface?

This is needed for this situation.

 

If it is already on, when you make the connection attempt can you look at the sesssion table at the same time to see which policy and nat action is take by the SRX.  Use the public source address your inbound connection attempt is coming from to see how the SRX matches the traffic.

show security flow session source-prefix x.x.x.x

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎12-01-2018 05:11 AM

Hi Puluka,

thanks for replay. i dont see in my post that there is an ip address 131.1.1.20.

However, the nat address and the interface ip address ge-0/0/1 are the same= 131.1.1.201. So am not using a proxy arp.

Is there any other sugession to solve my issue??

 

regards,

SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎12-01-2018 09:55 AM

If the nat address is the same as the interface then proxy arp is not needed.

 

Please do run the session viewer to see what policy your inbound connection attempts are hitting. This will also show the nat rules that are engaged.  If they are hitting the incorrect policy or nat rule we will see which one and can look at the policy details and ordering to adjust and move policies to have the desired effect.

 

If no session is created than the policies are not correct so they we will need to see the whole policy stack to determine why.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎12-03-2018 05:34 AM

Hi,

Your configuration looks good and the static nat should work. Are you sure that the traffic is hitting srx?

Please enable flow traceoption and initiate traffic to see where the packet is getting dropped

1. Enable flow trace:

set security flow traceoptions file FLOW.log size 10m

set security flow traceoptions flag packet-drops

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter p1 source-prefix <ip address of the outside PC from where traffic is initiated>

set security flow traceoptions packet-filter p2 destination-prefix <ip address of the outside PC from where traffic is initiated>

commit

2. Initiate traffic from outside (ISP2)

3. Remove flow trace options

delete security flow traceoptions

4. Analyze the FLOW.log or share with us

show log FLOW.log | match "p[12]|permit|drop|policy"

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway
Solution
Accepted by topic author motheri
‎12-03-2018 06:08 AM

Re: SRX320 filter base forwarding with Nat on routing instance issue

‎12-03-2018 06:08 AM

Hi,

it works after adding the routing instance to the static nat and also add the routing instance to the interface connected to ISP2.