I'm trialling a vSRX installation in one of my Amazon VPC's.
I've followed the general vSRX setup guide and a few KB's to:
- Assign eth1 (public & private, untrust) and eth2 (private, trusted) to the instance
- Configure the interfaces on the appliance
- Create a virtual-router and adding these interfaces, next hop on the default route is the AWS router IP on eth1 (Private).
- Create a Dst. NAT rule to NAT port on the internal ge-0/0/0 IP and port 3389 to a Windows host
- Create a firewall rule to permit untrust to trust on port 3389
- Create a firewall to permit trust to untrust / any
I can't seem to get the NAT rule to work and have tried following a few articles to troubleshoot. Packet captures don't seem to be supported on the vSRX and when I try to run one, JWEB bugs out permanently.
**Note I added source NAT recently to NAT the private traffic from the trusted zone to the egress interface in case it's an issue with the return traffic from the Windows host - but still no success.
Any help would be appreciated - config below!
Thanks
version 20190319.203446_builder.r1013243;
#junos-config
groups {
aws-default {
system {
login {
user ec2-user {
full-name juniper-aws-ec2-user;
uid 100;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCKWxD6mxJv77QUoM+BuFHOEhCzFTluCn2UPWG0A+vAQI0NaiOYMujU/iYVxNLpDYfs7F4tR+osHdrfgW+z+jnDBsLuiVg38B87bkiyYL2GuPug0y2bCn4ZfU/y2SK9MpLGaok7F4v9Gjb+g1d5XkEzabUPc95IFj1AHsadCI72YX0Vi/SOcg/uswgMJGqELQIWPZz9IIraTyNPM+ca933BAsmPEwJ1oixmlO1+2VXazESyD2WGaT70ooGpsMfq6BBkHewyUcn5NiqbIRgWFDouYItig4LI7exwedr/b1Ptq07KmG9/D2e/FP0b47ZUQrt9ajVuLwGTkkdfq5eKhJuT JuniperKeyPair2019"; ## SECRET-DATA
}
}
}
root-authentication {
encrypted-password *disabled*; ## SECRET-DATA
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
dhcp;
}
}
}
}
}
}
apply-groups aws-default;
system {
login {
user **MyUser** {
uid 2002;
class super-user;
authentication {
encrypted-password "$6$7HnuZEex$psO9dbt.Ii89U0cwZRgkSH5B85eDjveOq6wkRRet5OxkBDNksnH24wx9m4FOp2R9nSaJG6u8A3AfoHTzm/Zx41"; ## SECRET-DATA
}
}
}
}
security {
nat {
source {
rule-set SNAT_RuleSet {
from zone trust;
to zone untrust;
rule SNAT_Rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-172_16_5_10m32 {
routing-instance {
default;
}
address 172.16.5.10/32 port 3389;
}
pool dnat-172_16_4_6m32p3389 {
description "ge-0/0/0 port 3389";
address 172.16.4.6/32 port 3389;
}
rule-set dst-nat {
from zone untrust;
rule rdprule {
match {
source-address **MyPublicIP**/32;
destination-address 172.16.4.6/32;
destination-port {
3389;
}
protocol tcp;
}
then {
destination-nat {
pool {
dnat-172_16_5_10m32;
}
}
}
}
}
}
}
policies {
from-zone untrust to-zone trust {
policy untrust-to-trust1 {
match {
source-address any;
destination-address WindowsDT;
application [ RDP-NAT junos-rdp ];
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust-all-allow {
description "Trust to Untrust - Allow All";
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
address-book {
address MyPublicIP **MyPublicIP**/32;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
address-book {
address WindowsDT 172.16.5.10/32;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.16.4.6/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.5.5/24;
}
}
}
}
routing-instances {
aws {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.4.1;
}
}
}
}
applications {
application RDP-NAT {
protocol tcp;
destination-port 3389;
}
}