SRX

Friends,

 

I have a strange question here please bear with me if it is funny but it is woking live with thirdparty firewall which is going to be replaced by the SRX.

 

Third party firewall is working with below policy and i want to do it in SRX:

 

i have a server in my internal network 192.168.1.1 which accepts only specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a port 2445 . The connection is initiating from extranet with source ip address  172.16.10.0/24 to destination virtual IP 192.168.100.1 on a port 2445 which is then directing traffic to inside server 192.168.1.1 with a source ip address from the pool mentioned above.

 

This means the thirdy party firewall is doing  the destination NAT and the source NAT which are both merged togther to one flow to achieve the customer requirement,

 

How to achieve this in Juniper SRX.

 

Tx

Hi,

 

I think you could accomplish this with some Double NAT. 

 

1. Source NAT From 172.16.10.0/24 ---> Translate to 192.168.10.0/26 range or something in this range.

2. Destination NAT from 192.168.10.0/26 ---> Translate to 192.168.100.1

3. Proxy ARP on the interface exiting to the 192.168.100.1 server for 172.16.10.0/24 range

 

See the below for example on Page 11:

 

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Hello Dear,

 

The example shown  in above link i did'nt understood can u explore more on that example, Only what  i understood is the below source NAT and i didnt understood destination NAT!!!!

from source NAT:

any source comes to go any destination from trust to untrust should go by the pool specified.

 

But i have found something on the internet which matches my scenario just confirm to me i m on the right path and my below configs are correct according to the details provided.

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
pool intermediate-net {
address {
192.168.2.0/24
}
port no-translation;
}
rule-set nat-example {
from zone extranet;
to zone internal ;
rule double-nat-source {
match {
source-address 172.16.10.0/24;
}
then {
source-nat pool intermediate-net;

 

 

                   }
           }
      }
}
destination {
pool trust-net {
address 192.168.1.1/32;
}
rule-set nat-example {
from zone extranet;
rule double-nat-dest {
match {
destination-address 192.168.100.1/32;
}
then {
destination-nat pool trust-net;
                      }
               }
         }
}

 

 

 

 IF the configs are not correct please write a config for me according to above details of the servers IP's

 

 

THANKS

Hopefully something like this below will work:

 

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
    pool intermediate-net {
        address {
            192.168.2.0/24;
        }
    port no-translation;
    
    }
    rule-set nat-example {
        from zone extranet;
        to zone internal ;
            rule double-nat-source {
                match {
                    source-address 172.16.10.0/24;
                }
                then {
                    source-nat pool intermediate-net;


                   }
           }
      }
}
destination {
    pool trust-net {
        address 192.168.1.1/32;
        }

    rule-set nat-example {
        from zone extranet;
            rule double-nat-dest {
                match {
                    destination-address 192.168.100.1/32;
                }
                then {
                    destination-nat pool trust-net;
                              }
                       }
         }
}

Thanks  Dear,

 

I will sure do the below, and update the thread.

 

• But i have some question  that there is no such matching keyword that is calling destination NAT from source NAT for example in Cisco routers the route map is calling the access-list 110, so i m assuming the same with juniper.

 

access-list 110 permit ip any any

 

route-map permit external 10

match access-list 110

set ip next-hop 192.168.X.X

 

• How is the evaluation of  the NATTING in SRX as such with Cisco it checks 1st static and then etc etc, so what is the procedure for evaluating natting in srx if packets arrives the interface.
• In Cisco i have a packet-tracer command to troubleshoot the packet which is failing to get in to firewall or exiting the firewall, it shows me the certain steps that where the packet is failing for example in access-list or in natting, or becz of routing, so any such command in juniper same as cisco packet tracer.

 

Thanks for ur replies.

 

 

The upper solution double NAT  doesn't work, how i can trace the packet , on which step it is drop ????

 

Can anybody answer to me the above answers.

Hi,

 

I have modified the config above as I feel It was slightly wrong,  Destination and Static NAT happen before Source.

 

All the monitoring and translation monitoring you can find here:

 

"show security flow session match <network-prefix> "is best for viewing NAT and also

 

"show security nat <source/destination> all  ( this will show you the translation hits)

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Thanks dear ,

 

I will apply the configs and update the thread,

 

But these are the same according to what i have written in my previous mail.And also i wrote by the help of the attached document before.

 

Tx

Hello,

 

The above config worked properly, and here is the session info,

 

Session ID: 152506, Policy name: ABCD-NAT/6, State: Active, Timeout: 1788, Valid

In: 172.16.10.14/18498 --> 192.168.100.1/2445;tcp, If: reth2.254, Pkts: 4, Bytes: 164

Out: 192.168.1.1/2445 --> 192.168.2.253/59488;tcp, If: reth0.0, Pkts: 2, Bytes: 84

 

But can u explain me the steps the SRX is doing to reach inside server, The above config what you wrote to me are strange for me becz how destination NAT and source NAT are communicating with each other without any matching call between them.

 

Can you explain me step by step when the packet enters and exits SRX for the abive NAT ????

The order of NAT PRocessing: Static NAT --> Destination NAT --> Reverse Static NAT --> Source NAT

• 172.16.10.0/24 attempts connection to 192.168.100.1

 

• We are matching on the Destination Address so traffic is translated toward 192.168.1.1 by Destination NAT

 

• Next is Source NAT so we are matching on the Source address which is 172.16.10.0/24 and translating this source address to 192.168.2.0/24

 

Dear

 

The mail what you have written above , On step 2nd the process completes becz it matched the condition then why it is jumping to 3rd step i.e source NAT ??????

 

I have configured many destination NAT for many servers this means after also matching condition  each destination NAT it looks for the source nat.?????

 

Tx

After Destination NAT source NAT will happen before a packet is permitted.

 

In this document on figure 13 on page 18 shows you the NAT processing and what happens before a packet is permitted:

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Hello Dear,

 

I hope, i m coming to final point by this mail, Just confirm or correct me for these answers.

 

Static NAT:

Packets enters from external network to access inside server:

 

1. static NAT available YES translate the destination address
2. check the inside server route
3. check the policy to permit or deny 
4. check the Reverse static NAT --------> what this actually means ??????  
5. if YES reverse static NAT 
6. permit the packet

 

• IF Reverse static NAT---->NO
• source NAT ----YES:  this source NAT means the actual source address which is hitting to  inside server (NATTED IP) then translate it from the pool ip addresss
  
• permit the packet

 

 

Destination NAT:

Packets enters from external network to access inside server:

1. Destination NAT available YES translate the destination address
   
2. check the inside server route
3. check the policy to permit or deny
   
4. check the Reverse static NAT --------> what this actually means ??????
5. if YES reverse static NAT
   
6. permit packet

•  IF Reverse static NAT---->NO
• source NAT-- ----YES:  this source NAT means the actual source address which is hitting to  inside server (NATTED IP) then translate it from the pool ip addresss.IF Suppose i create two different pools by the same matching source addresses then from which pool the source will take IP address..???
•   permit the packet.
  

 

TX

 

 

Reverse Static NAT would be the return traffic originating from trust to untrust zone for example.  It takes precedence over source NAT rules during reverse mapping.

 

You cannot configure 2 pools(in the same rule) so to speak but if you add multiple IP Ranges toa pool it will spread it out over both ranges.

 

pool Pool1 {
        address {
            1.1.1.0/24;
            2.1.1.0/24;
        }
    }

Hello Dear,

 

SO according to ur mail what i understand is suppose traffic coming from outside to internal.

 

destination NAT

route lookup

policy lookup

no reverse nat for the internal IP of the server-->this means no natting for server private IP

do source translation for the real IP which is hitting the destination IP from outside.

 

If the above explanation is wrong please give 1 best scenario to understand.

 

SRX gateways are stateful then why they need reverse NAT until and unless traffic is initiating from outside.

 

Thanks

 

With Static NAT traffic would be originating from outside and inside.  An example of such would be a mail server.  It is a direct one to one mapping between the Mail Server and the SRX. Both the internal and remote host can initiate a connection.

 

In your case you require /24 subnets to be translated so Static NAT is not an option.  Static NAT will always take precedence over other NAT.

 

 

Hello Dear,

 

Thanks for ur patient's and bare with me to make me understand, and also i appreciate ur replies.

 

I m aware that static NAT are bidirectional but not destiantion NAT, do for destination NAT reverse static NAT does'nt implies, So when a traffic is hitting a destination NATTED IP with a source IP which is matching to source NAT then the source NAT will do the action otherwise the destination NAT will act as normal by matching his own condition.

 

IF the above is not correct , Please help me to understand by explantion of simple example why in my scenario source NAT is coming in flow,

 

Tx

You are correct,  with Destination NAT there needs to be a Source NAT rule for traffic initiating from inside Provided you wish the internal serve/servers to be able to initiate traffic).  Static NAT does not require this as it creates both Source and Destination NAT.

 

This could be an interface based source NAT rule such as below:

 

Here the return traffic would go out on the IP of the External Interface you have configured on the SRX.  You could also configure a NAT pool if you have a Range of External Addressing.

 

 rule Current_LAN {
            match {
                source-address 192.168.1.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }

 

Hello,

 

The above what i have explained is for the traffic going from outside to inside becz in my scenario the traffic is hitting from outside to inside and while entering inside the source IP are changing from the POOL specified.

 

But u r giving me the expalnation of source NAT for return packet, AS if i know that SRX is a stateful firewall when a packet comes in it will definately go out without any source NAT from inside if the traffic is initiated from the outside.

 

BUT

if the server is configured for destination NAT and when the server itself wants to initiate a connection then the server requires the source NAT from inside to outside, to reach the destination outside.

 

Tx

Sorry. If you only want initiated traffic from outside destination NAT alone is fine. I was trying to give you the reverse of static NAT using source and destination NAT

What you said above is correct

Hello

 

So lets come to the point that after every destination NAT if it successful it check the source NAT that means it chk the source NAT for  the source address which is hitting to NATTED IP ( which is seen to outside world) of the destination NAT, SUCH AS IN MY SCENARIO and if it mathches the source NAT then packet will be trnslated to source NAT pool and it will send it to the server real IP.

 

THE ABOVE ALL IS HAPPENING IN MY SCENARIO.

 

If the above explanation is wrong please correct me,and please bare with me to make me understand.

Yes, that sums it all up!

Hello,

 

Thanks for ur replies, i have accepted as a solution, is there any place i can give more points to u.

I think you accepted your own comment as the solution!

 

You can click the "kudo" button in my answer. That will give some extra credit to the topic. Thanks!

Hello

 

It was a mistake from my end that i click my post as a accepted solution instead of ur  post that was a confirmation mail at the end but i have cliked  on most of the kudos for you, and also u deserve the points.

 

 

 

Thanks for explanation and support

No problem. Thank you for the kudos!