SRX Services Gateway
SRX Services Gateway

Users can not access Mail server (has IP public) via same PPPoE interface

‎10-08-2012 01:02 AM
I have a Mail server in vlan200; vlan100 is user vlan.
Vlan200 and vlan100 access Internet via interface PPPoE pp0.0
Mail server have a public IP (call A.A.A.A) which had routed by my ISP.
I implement static nat on SRX with public IP A.A.A.A. All packet sent to A.A.A.A is
translated to B.B.B.B (is local IP of Mail server)

Outside users and users who using an other PPPoE interface can access the Mail server.
But users who using same interface pp0.0 can not.

I've attached my network diagram. So what the trouble with this scene?
Thanks!

Attachments

6 REPLIES 6
SRX Services Gateway

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-11-2012 10:49 PM

Hi,

 

How is your static nat match condition configured currently ? Does it include user vlan too ? 

If you have done the flow trace, that should help us understand the problem much better.

Regards,
Pradeep 2xJNCIE(SEC/ENT)
SRX Services Gateway

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-14-2012 07:48 PM

Thank you for your reply. Here is my configuration. vlan user and mail server use the same default route to internet.

I will do the flow trace  and the update is coming soon!

super@BB6-RTN01# show security nat static
rule-set C42-static-mail {
from zone untrust;
rule rule1 {
match {
destination-address 121.89.40.105/32;
}
then {
static-nat prefix 172.22.0.10/32;
}
}
}


super@BB6-RTN01# show routing-options static
route 172.16.0.0/12 discard;
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 5;
}
qualified-next-hop pp0.4 {
metric 10;
}
}

super@BB6-RTN01# show security zones security-zone trust
tcp-rst;
interfaces {
ae2.100;
ae2.200;
}


super@BB6-RTN01# show security zones security-zone untrust
inactive: screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ssh;
telnet;
}
}
interfaces {
pp0.0;
pp0.1;
pp0.2;
pp0.3;
pp0.4;
}


super@BB6-RTN01# show interfaces pp0
unit 0 {
ppp-options {
pap {
access-profile PPPoE;
local-name ftthxxxx;
local-password "$9$gu4GDjHqzn/5T/tp0cSYgoaGikqm"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-4/0/0.0;
idle-timeout 0;
auto-reconnect 10;
client;
}
family inet {
negotiate-address;
}
}

super@BB6-RTN01# show security policies from-zone trust to-zone untrust
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}

super@BB6-RTN01# show security policies from-zone untrust to-zone trust
policy static-mail {
match {
source-address any;
destination-address server1;
application any;
}
then {
permit;
}
}

super@BB6-RTN01# show security zones security-zone trust
tcp-rst;
address-book {
address server1 172.22.0.10/32;
}

SRX Services Gateway
Solution
Accepted by topic author vietht
‎08-26-2015 01:27 AM

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-15-2012 01:24 PM

Hi,

 

I guess you are using dns resolve your mail server IP to it's public IP address not the private one. So the user use the same pp0 and destination is 121.89.40.105 will use default route to your ISP which will send the traffic back again to your SRX on same link that's why the SRX drop the packet.

 

For any other PP interface traffic is sent through PP0.4 for example and comeback again from your ISP on PP0.0 so SRX forward the traffic normally as the PKT received from different interface.

 

1- I will suggest you to add on the static nat from zone trust so it will be like from zone [ trust untrust ];

 

so static nat will be performed on the SRX itself on LAN side and sent PKT to mail server directly instead go to ISP cloud and return again to your box.

 

2- Another solution if you are using local DNS add entry on it for your mail server mapped to private IP 172.22.0.10 so user traffic will go directly to your mail server without any nating

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-23-2012 01:54 AM

Thank you, Mohamed!

 

I 've just understood my trouble. It's exactly as you describe. My network hasn't got local DNS so the choice 1 will be my solution.

 

Im trying fix it. is this configuration enough?

 

 

super@BB6-RTN01# show security policies from-zone trust to-zone trust      
policy TC6-permit-mail {
    match {
        source-address 1.1.1.1/32;
        destination-address 172.22.0.10/32;
        application any;
    }
    then {
        permit;
    }
}
 
 
[edit security nat destination]
+     pool xxx {
+         address 1.1.1.1/32;
+     }
[edit security nat destination]
+     rule-set xx {
+         from zone trust;
+         rule r1 {
+             match {
+                 destination-address 121.89.40.105/32;
+             }
+             then {
+                 destination-nat pool xxx;
+             }
+         }
+     }
SRX Services Gateway

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-23-2012 03:18 AM

Hi,

 

I think you need just one command

 

# set security nat static rule-set C42-static-mail from zone trust.

 

and might need policy from zone trust to zone trust to allow traffic into one zone if users and your mail server both in one zone (trust) or separate like dmz zone so from trust to dmz.

 

Regards,

Mohamed

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Users can not access Mail server (has IP public) via same PPPoE interface

‎10-24-2012 12:33 AM

Thank you, Mohamed

 

I've had a mistake with static nat.

I've already fixed it with static nat and policy.

 

Thank you very much for your precious help.

Regards,

vietht