SRX Services Gateway
SRX Services Gateway

Simple Destination NAT not working

‎03-26-2013 06:07 PM

Dear Community,

 

I am trying to do a simple destination NAT but so far without success.

Maybe one of you has an idea why it is now working for us?

 

What we want do is a simple Destination NAT from one of our public IP's configured on the untrust zone to one of our hosts within a dedicated management zone.

 

Scenario on our SRX650 A/P cluster:

 

reth0.0 untrust interface with two public IP's:

 

root@mysrx650# show interfaces reth0
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    family inet {
        address xx.xx.10.4/27;
        address xx.xx.10.5/27;
    }
}

 

reth2.0 management interface with yy.yy.0.1/16:

 

root@mysrx650# show interfaces reth2
vlan-tagging;
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    vlan-id 222;
    family inet {
        address yy.yy.0.1/16;
    }
}

 

The host we want to reach from the public ip xx.xx.10.5/27 is yy.yy.0.110/16

 

the destination NAT is configured like this:

 

root@mysrx650# show security nat destination
pool dst_yy_yy_0_110 {
    address yy.yy.0.110/32;
}
rule-set zone-untrust-in {
    from zone untrust;
    rule rule1 {
        match {
            source-address 0.0.0.0/0;
            destination-address xx.xx.10.5/32;
        }
        then {
            destination-nat pool dst_yy_yy_0_110;
        }
    }
}

root@mysrx650# show security nat destination pool dst_yy_yy_0_110
address yy.yy.0.110/32;

 

of course the host is reachable and also a security policy (incl. address book entry) has been configured:

 

root@mysrx650# show security policies from-zone untrust to-zone MGMT

 

policy specific-access {
    match {
        source-address any;
        destination-address specific_host_yy_yy_0_110_32;
        application any;
    }
    then {
        permit;
    }
}

What could be the problem why we still cant reach the host from management zone from outside?

 

Thanks and regards,

 

4 REPLIES 4
SRX Services Gateway

Re: Simple Destination NAT not working

‎03-26-2013 10:33 PM

Hi IT-onBaseGmbH,

 

  I'm able to get some amount of information from this post however, it would be good if you draw a diagram with the ip details of each host, SRX device interface, etc and include the details of traffic direction will help in good understanding and look at it further.

 

Thanks,

SHKM

SRX Services Gateway

Re: Simple Destination NAT not working

[ Edited ]
‎03-27-2013 03:49 AM

Hi,

 

On your interface remove the following:

 

unit 0 {
    family inet {
        address xx.xx.10.4/27;
        address xx.xx.10.5/27;  <---- Remove this
    }
}

 

and add this under "edit security nat"

 

proxy-arp{
     interface reth0.0 {
         address {
             xx.xx.10.5/32
         }
     }
}

 

A "show route" command should now reveal a Receive route for xx.xx.10.5

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Simple Destination NAT not working

[ Edited ]
‎03-27-2013 04:23 AM

Hi ,

 

Thank you for your reply.

I've done it, but for any reason it is still not working:

 

{primary:node1}[edit security nat]
root@mysrx650# show
destination {
    pool dst_yy_yy_0_110 {
        address yy.yy0.0.110/32;
    }
    rule-set zone-untrust-in {
        from interface reth0.0;
        rule rule1 {
            match {
                source-address 0.0.0.0/0;
                destination-address xx.xx.10.5/32;
            }
            then {
                destination-nat pool dst_yy_yy_0_110;
            }
        }
    }
}
proxy-arp {
    interface reth0.0 {
        address {
            xx.xx.10.5/32;
        }
    }
}

The public IP subnet xx.xx.10.0/27 is used as transfer net between a Brocade switch which is positioned before the srx650. The Brocade switch before the SRX has xx.xx.10.1/27.

The srx650 untrust interface (reth0.0) has then xx.xx.10.4/27

And if add the IP xx.xx.10.5./27 as a second public ip to the untrust interface then at least i can reach the untrust interface from SRX, but if i remove the ip from untrust interface and working with proxy-arp i can not reach the untrust interface under this ip anymore and also not the internal host which is defined in destination NAT.

 

I've attached our config, maybe one can see it better there.

 

the setup of our srx650 cluster is in general like this:

 

we have transfer network from Brocade switches before the SRX (yy.yy.10.0/27) which transfers mutiple public subnets to out trust side (which in fact is more like a untrust2 side in order to have IDP + AV for these subnets.

Out trusted hosts are in a zone called MGMT.

From the transfer network yy.yy.10.0/27 the Brocade switches are using .1 / .2 and .3 and SRX has .4 with a installed route under routing option to .1 which is the next hop for the srx.

 

Everything is working fine, including dynamic vpn, but for any reason only the destination NAT is not doing what it should...

 

Best regards

 

 

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author IT-onBaseGmbH
‎08-26-2015 01:27 AM

Re: Simple Destination NAT not working

‎03-27-2013 09:01 AM

Issue has been solved.

Everything is working again as expected thanks to Juniper JTAC Support.

 

the problem was a policy used by dynamic vpn which was first processed before the access policy used for the destination NAT. After changing the policy priority everything worked like  a charm.

 

Thanks anyway to all.