SRX Services Gateway
Highlighted
SRX Services Gateway

Zone_Communication

‎05-20-2019 12:11 PM

Hi All ,

 

I have some challenges with below setup kindly provide your valuable inputs to get going with the same 

 

Zone Name - Untrust Eth0/0

Zone Name - Trust Eth0/3 & below are configure as sub interfaces

            Vlan 100 - 192.168.1.1/24 and i have device on LAN i.e. 192.168.1.254/24 on Core Switch

            Vlan 105 - 192.168.2.1/24

Zone Name - Connector Eth0/5 on SSG5 

           ip : 192.168.3.1/24 on SSG5 and

           ip : 192.168.3.2/24 on router connecting to SSG5 on Eth0/5

           and on router LAN i have a device with ip 192.168.4.254/24 

           

 

Goal : Reachability between 192.168.1.254 and 192.168.4.254 but via 192.168.2.1 i.e. when i try to reach from 192.168.1.254 it should reach 192.168.4.254 as 192.168.2.2 and when 192.168.4.254 tries to reach 192.168.2.2 it should then NAT to 192.168.1.254 

 

in short NAT should work from 192.168.1.254 to 192.168.2.2 for outgoing traffic and 192.168.2.2 NATed to 192.168.1.254 for incoming traffic

 

Regards

Ziad

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-20-2019 05:00 PM
Hello All ,

Any suggestions

Regards
Ziad
Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-20-2019 05:11 PM

Hi shaan129,

 

Based on your explanation, and understanding you are using a SSG firewall, what you need to conifgure if MIP (static NAT):

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10923&actp=METADATA

 

You could follow that article, just need to see it in the following way: 

 

  • The Internal host mentioned on that article (192.168.1.100) will be 192.168.1.254 in your scenario.
  • The public interface and address mentioned in that article (eth0/0 and 1.1.1.250) will be interface  eth0/5 and address 192.168.2.2 in your scenario.
  • Zone Untrust in above article will be your Connector zone.
  • Dont forget you will need a secuirty-policy between zones Trust and Connector and vice versa  to allow these communications as shown on that article as well.

Please let me know if you have further questions.

 

Highlighted
SRX Services Gateway

Re: Zone_Communication

[ Edited ]
‎05-20-2019 05:28 PM

MIP (Static NAT) configuration will be similar to the following one:

 

 MIP Rule:

set interface "ethernet0/5" mip 192.168.2.2 host 192.168.1.254 netmask 255.255.255.255 vr "[Virtual_Router]"

 

Security-policy for allowing connections from 192.168.4.254 to 192.168.2.2 (eventually 192.168.1.254):

set policy from "Connector" to "Trust" "Any" "MIP(192.168.2.2)" "Any" permit

 

Security-policy for allowing connections from 192.168.1.254 to 192.168.4.254:

set policy from "Trust" to "Connector" "Any" "Any" "Any" permit

 

Dont forget the SSG has to have a route to reach 192.168.4.0/24 and that the remote router connected to eth0/5 also has to have a route to reach the 192.168.2.0/24 subnet.

 

I hope this helps you, please mark the post as Resolved if it applies.

 

 

Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-21-2019 02:05 AM

Hi , 

 

The Routes are in place on both ends on End Router & also in SSG5 the only thing that is not happening is communication between 192.168.4.254 & 192.168.2.2(Actually 192.168.1.254) & 192.168.1.254(Actually 192.168.2.2) & 192.168.4.254.

 

The issue seems to be with NATing on the SSG5 .'

 

Attaching image for better understanding 

 

Regards

shaan129

Attachments

Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-21-2019 09:25 AM

Hi Shaan,

 

"""from 192.168.1.254 it should reach 192.168.4.254 as 192.168.2.2 and when 192.168.4.254 tries to reach 192.168.2.2 it should then NAT to 192.168.1.254 """


I understand you want source NAT when initiating the traffic from 192.168.1.254 it should reach 192.168.4.254 , AND destination NAT when 192.168.4.254 tries to reach 192.168.2.2 .


If you apply MIP on eth0/5 of ConnectorSSG then source NAT will not trigger correctly . Try applying the appropriate MIP on UntrustSSG(Eth0/0)


1: set interface "ethernet0/0" mip 192.168.2.2 host 192.168.1.254 netmask 255.255.255.255

2: Call MIP in appropriate security policy.

 

Thanks,

Vikas

 

 

Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-21-2019 11:44 PM

Can you share the configuration on your SSG?

 

What happens if you try to ping between the real IP addresses: 192.168.4.254 and 192.168.1.254? Does it work (assuming you have the routes configured as well)? Im just trying to isolate any other issues in between.

 

I can see that you have IP address 192.168.2.1 configured on the SSG's eth0/3 interface. Unless you are using it for a different purpose, it is not necessary for these communications. Can you delete it?

 

 

Highlighted
SRX Services Gateway

Re: Zone_Communication

‎05-28-2019 02:50 AM

If you generate traffic from 192.168.4.254 to 192.168.1.254

 

then on the SSG confirm the sesson with nat is created

 

get session src-ip 192.168.4.254 dst-ip 192.168.4.254

 

If the session exists with the correct nat, confirm the session on the SRX is seen with the further nat change there

 

show security flow session source-prefix 192.168.2.2 destination-prefix 192.168.4.254

 

If this also exists then the nat portion is working on both sides and the issue may be routing.

 

If one of these sessions is not created: 

The issue will be either a missing policy to permit the traffic or an incorrect nat rule on that device.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback