vSRX
Highlighted
vSRX

SRX APR-PROXY not communicate with lan network

‎05-27-2020 12:59 AM

I have a juniper srx 240 firewalls. I have 7 public ip and i setup them as proxy-arp and create destination nat with those IP addresses. everything is working fine. but the issue is when I access this public IP from outside of network like another wan network everything is working properly but when I access those IP addresses from my LAN network its can't access. please help me to configure proxy-arp with Lan network can access public IP thos available on the pool 

4 REPLIES 4
Highlighted
vSRX

Re: SRX APR-PROXY not communicate with lan network

‎05-27-2020 01:24 AM

Hi,

 

When you try to access the Internal IP addresses using public IP from your private network, you must translate the source address as well at the SRX otherwise which, the destination server replies back to the source using its private IP which is not recognized by the source machine.

 

You can verify the session with the command "show security flow session source-prefix <src pvt add> destination-prefix <Public-IP for dest>.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21719

 

Hope this helps.

 

Thanks and Regards,

Pradeep Kumar M

 

|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||

Highlighted
vSRX

Re: SRX APR-PROXY not communicate with lan network

‎05-27-2020 01:26 AM

You can also refer https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639 - Hair Pin NAT.

 

Thanks and Regards,

Pradeep Kumar M

Highlighted
vSRX

Re: SRX APR-PROXY not communicate with lan network

‎05-27-2020 02:45 AM

I have destination nat on those public IP and those are working very well from outside but the problem was the same IP when I access from the internal network(lan) there is an error site cant reach 

Highlighted
vSRX

Re: SRX APR-PROXY not communicate with lan network

‎05-27-2020 04:50 AM

This doesn't seem to be an issue with destination NAT or Arp-Proxy. This must be about the return traffic from the actual destination to the source. Source initiates traffic to the public IP whereas it gets reply from the private IP(Actual dest IP) about which the source is not aware of and hence is dropping the traffic.

 

You can check the traffic flow for this on the SRX using the command  I previously provided. Please share the output here if you can. If what i mentioned is the cause, you might want to enable source NAT for this flow on the SRX.

 

The same scenario is mentioned in the KB - https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639 . Please verify if its the same scenario.

 

Thanks and Regards,

Pradeep Kumar M

Feedback