vSRX
vSRX

Creating a Static NAT on a vSRX hosted in AWS

‎12-14-2018 03:59 PM

I'm trying to configure static NAT for a webserver I've deployed to AWS. Currently, I'm unable to pass traffic to the machine. What am I doing wrong? I set the Proxy-arp up. I've got the secondary IP configured in AWS and pointed to ge-0/0/0 via the network interface ID. The elastic IP is also tied to the internal address 172.25.48.11. 

 

## Last changed: 2018-12-14 18:42:54 EST
version 18.3R1.9;
#junos-config
groups {
aws-default {
system {
login {
user ec2-user {
full-name juniper-aws-ec2-user;
uid 100;
class super-user;
authentication {
ssh-rsa "ssh-rsa }
}
}
}
inactive: services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
dhcp;
}
}
}
}
}
}
apply-groups aws-default;
system {
login {
user su {
uid 2001;
class super-user;
}
}
host-name rtr-east2a-stage;
time-zone America/Detroit;
authentication-order [ password radius ];
radius-options {
password-protocol mschap-v2;
}
services {
ssh;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any info;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
}
security {
nat {
source {
rule-set SNAT_RuleSet {
from zone trust;
to zone untrust;
rule SNAT_Rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set srvw-test01 {
from zone untrust;
rule rule_for_srvw-test01 {
match {
destination-address 172.25.48.11/32;
}
then {
static-nat {
prefix {
172.25.52.141/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
172.25.48.11/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy default_server_access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy srvw-test01 {
match {
source-address any;
destination-address srvw-web01;
application junos-icmp-ping;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone trust {
address-book {
address srvw-web01 172.25.52.141/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone mgmt;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.25.48.10/23;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.25.52.10/23;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.25.52.11/32;
}
}
}
}
snmp {
description rtr-east2a-vsrx;
location Ohio;
}
}
vacm {
security-to-group {
security-model usm {
security-name sysop {
group readonly;
}
}
}
access {
group readonly {
default-context-prefix {
security-model usm {
security-level privacy {
read-view system;
}
}
}
}
}
}
}
engine-id {
use-default-ip-address;
}
view system {
oid 1.3.6.1.2 include;
}
}
routing-instances {
aws {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.25.48.1;

}
}
}
}

 

8 REPLIES 8
vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

‎12-15-2018 04:15 AM

Hi,

 

I understand you are testing the connectivity using the ping traffic only, as only ping is allowing in the security policy. Do you see sessions being created and "pkt" counts in both wings of the session?

 

> show security flow session destination-prefix 172.25.48.11

 

Thanks,

Vikas

 

vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

[ Edited ]
‎12-15-2018 10:19 AM

That is correct, I am only testing ping connectivity at this point.

 

I am seeing sessions when I run that command, no packets going outbound though

 

ec2-user@rtr-east2a-stage# ...ow session destination-prefix 172.25.48.11
Session ID: 211703, Policy name: srvw-test01/5, Timeout: 42, Valid
In: 12.36.12.150/32189 --> 172.25.48.11/1;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
Out: 172.25.52.141/1 --> 12.36.12.150/32189;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,

Session ID: 211710, Policy name: srvw-test01/5, Timeout: 48, Valid
In: 12.36.12.150/20786 --> 172.25.48.11/1;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
Out: 172.25.52.141/1 --> 12.36.12.150/20786;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,

Session ID: 211717, Policy name: srvw-test01/5, Timeout: 52, Valid
In: 12.36.12.150/19863 --> 172.25.48.11/1;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
Out: 172.25.52.141/1 --> 12.36.12.150/19863;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,

Session ID: 211724, Policy name: srvw-test01/5, Timeout: 58, Valid
In: 12.36.12.150/3383 --> 172.25.48.11/1;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
Out: 172.25.52.141/1 --> 12.36.12.150/3383;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
Total sessions: 4

vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

‎12-15-2018 10:26 PM

Hi,

 

From the session, incoming traffic, NAT & security policy are fine. "pkt" count is always zero in the return wing. Please check below:

 

1: Do you see the bidirectional ICMP traffic on the server 172.25.52.141? tcpdump/wireshark etc on the server may help.

2: What is the route on the vSRX to the IP 12.36.12.150? SHow route or show route 12.36.12.150 may help.

3: You can also try FIREWALL FILTER on the ge-0/0/1.0 with log to see incoming traffic on the ge-0/0/1.0.

 

Thanks,

Vikas

vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

‎12-16-2018 05:09 AM

Since the issue is with the return traffic from the server please check the following.

 

Confirm that ip tables on the server is set to allow the icmp traffic

 

Confirm the default route on the server will return traffic back to the SRX.

If it is not possible to have the default route back to the SRX, add an untrust to trust source nat to the srx interface on the inbound traffic.  This will remove the internet source and make sure the srx is the return path for the traffic from the server.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

[ Edited ]
‎12-16-2018 10:15 PM

 

The webserver is a windows 2012 server. I've confirmed that the Windows firewall is turned off. Default route in AWS for the subnet that this server is on is the ge-0/0/1 interface on the SRX.

 

Since the issue is with the return traffic from the server please check the following.

  

Confirm that ip tables on the server is set to allow the icmp traffic

 

Confirm the default route on the server will return traffic back to the SRX.

If it is not possible to have the default route back to the SRX, add an untrust to trust source nat to the srx interface on the inbound traffic.  This will remove the internet source and make sure the srx is the return path for the traffic from the server.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
vSRX
Solution
Accepted by topic author joshuamichaelsanders
‎12-17-2018 08:52 AM

Re: Creating a Static NAT on a vSRX hosted in AWS

‎12-17-2018 03:30 AM

Does the server have more that one interface?

What is the default route next hop in

route print

 

Can the server ping the srx interface and the srx ping the server interface?

This will verify the connectivity within the subnet

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

[ Edited ]
‎12-17-2018 08:11 AM

huh......I had verified outbound ping from this machine and source-natting was working. Now it's not. I also can't ping the ge-0/0/1 interface from the web server anymore. I'll have to jump back in and see what's going on.

 

vSRX

Re: Creating a Static NAT on a vSRX hosted in AWS

‎12-17-2018 08:52 AM

Strange, I was toying with a loopback interface on the unit and it must have broken the routing path. I removed everything referencing that loopback and committed the change. Everything came up. Thanks for the help