[j-nsp] SRX Config Question

ben b benboyd.lists at gmail.com
Tue Jun 22 14:18:04 EDT 2010


The policy looks good, but your nat isn't translating.  You have 0
translation hits.  Your destination address is never changed to
192.169.1.214 which is why your policy is never invoked.  Is 192.168.1.214
reachable from the SRX?  I would say check previous nat rules, but the
position of this one is 1.

-Ben


On Tue, Jun 22, 2010 at 1:00 PM, Brendan Mannella
<bmannella at teraswitch.com>wrote:

> Ok i updated the address book from "." to "_"
>
> Below is the output of the commands, i havent had a chance to retest with
> the updated address book to see if that does it, i will let you know. The
> Nat and polices look ok..
>
>
> root at srx210> show security nat static rule all
> Total static-nat rules: 58
>
> Static NAT rule: 51                   Rule-set: static
>   Rule-Id                    : 1
>   Rule position              : 1
>   From zone                  : untrust
>   Destination addresses      : 111.111.111.214 (external public ip)
>   Host addresses             : 192.168.1.214
>   Netmask                    : 255.255.255.255
>   Host routing-instance      : N/A
>   Translation hits           : 0
>
>
>
>
> root at srx210> show security policies detail
> Default policy: deny-all
> Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4
>   Sequence number: 1
>   From zone: trust, To zone: untrust
>   Source addresses:
>     any: 0.0.0.0/0
>   Destination addresses:
>     any: 0.0.0.0/0
>   Application: any
>     IP protocol: 0, ALG: 0, Inactivity timeout: 0
>       Source port range: [0-0]
>       Destination port range: [0-0]
>
>
> Policy: 240-214, action-type: permit, State: enabled, Index: 5
>   Sequence number: 1
>   From zone: untrust, To zone: trust
>   Source addresses:
>     any: 0.0.0.0/0
>   Destination addresses:
>     192_168_1_214: 192.168.1.214/32
>   Application: rdp
>     IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
>       Source port range: [0-0]
>       Destination port range: [3389-3389]
>   Application: junos-dns-udp
>     IP protocol: udp, ALG: dns, Inactivity timeout: 60
>       Source port range: [0-0]
>       Destination port range: [53-53]
>   Application: junos-ftp
>     IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800
>       Source port range: [0-0]
>       Destination port range: [21-21]
>   Application: junos-http
>     IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
>       Source port range: [0-0]
>       Destination port range: [80-80]
>   Application: junos-https
>     IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
>       Source port range: [0-0]
>       Destination port range: [443-443]
>   Application: junos-ms-sql
>     IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
>       Source port range: [0-0]
>       Destination port range: [1433-1433]
>   Session log: at-create, at-close
>
>
>


More information about the juniper-nsp mailing list