SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  srx240 , 650 dnat issue

    Posted 08-22-2017 02:40

    Hi Juniper,

     

    I'm having weird issue on some of sites, but on few it does work. We have 2 isp's in each site and one has default route, one has default route as backup with pref25. We have to dnat one ip from each public isp to local vpn server. Idea is to connect to any of those isp lines and still be dnatted. Trick is, that dnatted traffic actually works only on isp where route is pointing to. Here is example config:

     

    set security nat destination pool dst_nat_vpn_pool address 10.10.10.10/32
    set security nat destination pool dst_nat_vpn_pool address port 443

    set security nat destination rule-set dst_nat_vpn from zone EXT
    set security nat destination rule-set dst_nat_vpn rule r1 match destination-address 1.1.1.5/32
    set security nat destination rule-set dst_nat_vpn rule r1 match destination-port 443
    set security nat destination rule-set dst_nat_vpn rule r1 match protocol tcp
    set security nat destination rule-set dst_nat_vpn rule r1 then destination-nat pool dst_nat_vpn_pool

    set security nat destination rule-set dst_nat_vpn rule r2 match destination-address 2.2.2.5/32
    set security nat destination rule-set dst_nat_vpn rule r2 match destination-port 443
    set security nat destination rule-set dst_nat_vpn rule r2 match protocol tcp
    set security nat destination rule-set dst_nat_vpn rule r2 then destination-nat pool dst_nat_vpn_pool

    set security nat proxy-arp interface reth0.0 address 1.1.1.5/32
    set security nat proxy-arp interface reth1.0 address 2.2.2.5/32

    set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
    set routing-options static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 25

    set interfaces reth0 unit 0 description isp1
    set interfaces reth0 unit 0 family inet address 1.1.1.2/24
    set interfaces reth1 unit 0 description isp2
    set interfaces reth1 unit 0 family inet address 2.2.2.2/24

     

    Policies are excluded as they are fine. When I connect to 1.1.1.5 where default route is, dnat works and I have connection, but when I connect to 2.2.2.5, dnat session does show up, server receives request, but reply is never routed back correctly ( server sends it out, but it gets lost on srx ). If I add /32 route of my test connection to 2nd isp ( 2.2.2.1 ), then connection works.

     

    I have same setup in few other places where this works and I cannot figure out what mechanism is not letting it to happen here. 
    Thank you for advice,



  • 2.  RE: srx240 , 650 dnat issue

    Posted 08-22-2017 02:59

    Both your external interface are part of same security zone. And also in destination NAT you are secifying Zone so in the reverse lookup SRX is using reth0.0 which is part of same zone. 

     

    Please try below configuration. 

     

    set security nat destination rule-set dst_nat_vpn from zone EXT
set security nat destination rule-set dst_nat_vpn from interface reth0.0
set security nat destination rule-set dst_nat_vpn rule r1 match destination-address 1.1.1.5/32
set security nat destination rule-set dst_nat_vpn rule r1 match destination-port 443
set security nat destination rule-set dst_nat_vpn rule r1 match protocol tcp
set security nat destination rule-set dst_nat_vpn rule r1 then destination-nat pool dst_nat_vpn_pool

set security nat destination rule-set dst_nat_vpn_ISP2 from zone EXT
set security nat destination rule-set dst_nat_vpn_ISP2 from interface reth1.0
set security nat destination rule-set dst_nat_vpn_ISP2 rule r2 match destination-address 2.2.2.5/32
set security nat destination rule-set dst_nat_vpn_ISP2 rule r2 match destination-port 443
set security nat destination rule-set dst_nat_vpn_ISP2 rule r2 match protocol tcp
set security nat destination rule-set dst_nat_vpn_ISP2 rule r2 then destination-nat pool dst_nat_vpn_ISP2_pool

    -------------------------------------------------------------------------------------------------------------------------------------

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     



  • 3.  RE: srx240 , 650 dnat issue

    Posted 08-22-2017 13:13

    Thanks 

     

    but I'm still bugged by idea that on other branches it works with same setup, with both ISP lines being in same zone and with same dnat config as I wrote in first post.  It might be that those boxes are sitting on rather old version 12.1R7.9 when new boxes are with newest code..



  • 4.  RE: srx240 , 650 dnat issue
    Best Answer

    Posted 09-08-2017 09:59

    Hello mikedruu

     

     

    We have two scenarios here:

     

    • Packet is receive in reth0.0, the SRX will install the re-route based on the routing table, in this case the static route with the preference 5, when the packet is coming back and the SRX sees the reply, it will send the packet with next hop 1.1.1.1, so the ISP1 will use the same route back without problems.
    • Packet is receive in reth1.0, the SRX will install the re-route based on the routing table, one more time the static route with the preference 5, when the packet is coming back and the SRX sees the reply, it will send the packet with next hop 1.1.1.1, the issue here is that ISP1 will need to route the packet to the ISP2 with a different path and if the ISP do not support asymmetric routing, the packet will be drop in the path.

     

    It is not a problem that you have both interfaces in the same security zone, actually this will avoid the SRX to dropped the packet because asymmetric routing.

     

    You can verify how your traffic is going out with security flow traceoptions, please see:

     

    set security flow traceoptions file flow-trace

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter MatchTraffic1 source-prefix A.B.C.D/X destination-prefix E.F.G.H/X

    set security flow traceoptions packet-filter MatchTraffic2 source-prefix E.F.G.H/X destination-prefix A.B.C.D/X 

    show log flow-trace

     

    Remember delete them with “delete security flow traceoptions”

     

    You can try to solve this issues with routing instances, so you can separate the routing tables and always use the same path:

     

    set routing-instances ISP1 instance-type virtual-router

    set routing-instances ISP1 interface reth1.0

    set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 2.2.2.1



  • 5.  RE: srx240 , 650 dnat issue

    Posted 09-19-2017 13:07

    Hi carroyo

     

    You are right, finaly I got some time to play with this in lab and understood that in case what I mentioned before  where this config works, I have 2 circuits from same isp instead of 2 separate isp's and I suppose both of my circuits are connected to same isp switch that is stateles and/or doesn't care about asymetry.

     

    I will have to play around to find out best way with separate routing instances 🙂

     

    thanks for input, cheers