[j-nsp] SRX240 junos 10.3 nat missbehavior?

Stefan Fouant sfouant at shortestpathfirst.net
Mon May 2 12:17:22 EDT 2011


Hi Correa,

You stated your issue was that you have traffic arriving at the ge-0/0/0
interface (Untrust) but you do not see it being forwarded towards the
ge-0/0/3 interface (Trust).  Everything is perfect with your configuration,
except that you don’t have a NAT policy to translate traffic originating
from the Untrust side destined for the Trust side.  You have two options to
fix this:  You can replace your source-nat configuration with a static-nat
configuration which essentially creates bidirectional NAT, or you’ll need to
configure a destination-nat stanza in addition to your source-nat
configuration.

Please note, you can choose to use either Static NAT or Destination NAT in
this simple test, but which one you choose for production depends on a lot
of variables and the control you want over your NAT operations.   I advise
you take a look at Juniper’s documentation set to get a better understanding
of the differences between the two in order to choose the one which is most
appropriate for your situation.

You have the appropriate policies in place and your setup is very simple
from a routing perspective, so you shouldn’t have any problems there.
Simply configure the appropriate NAT policy to allow for inbound NAT
translation and you should be good to go.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC

> -----Original Message-----
> From: Correa Adolfo [mailto:acorrea at mcmtelecom.com.mx]
> Sent: Monday, May 02, 2011 11:42 AM
> To: Stefan Fouant; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] SRX240 junos 10.3 nat missbehavior? - [SPAM
> Header] - Character set not allowed
> 
> interfaces {
> 
>     ge-0/0/0 {
> 
>         unit 0 {
> 
>             family inet {
> 
>                 address x.x.93.227/27;
> 
>             }
> 
>         }
> 
>     }
> 
>     ge-0/0/2 {
> 
>         unit 0 {
> 
>             family ethernet-switching {
> 
>                 port-mode access;
> 
>                 vlan {
> 
>                     members vlan-trust;
> 
>                 }
> 
>             }
> 
>         }
> 
>     }
> 
>     ge-0/0/3 {
> 
>         unit 0 {
> 
>             family ethernet-switching {
> 
>                 port-mode access;
> 
>                 vlan {
> 
>                     members vlan-trust;
> 
>                 }
> 
>             }
> 
>         }
> 
>     }
> 
>     vlan {
> 
>         unit 0 {
> 
>             family inet {
> 
>                 address 20.0.0.1/24;
> 
>             }
> 
>         }
> 
>     }
> 
> }
> 
> routing-options {
> 
>     static {
> 
>         route 0.0.0.0/0 next-hop x.x.93.225;
> 
>     }
> 
> }
> 
> security {
> 
>     nat {
> 
>         source {
> 
>             address-persistent;
> 
>             rule-set trust-to-untrust {
> 
>                 from zone trust;
> 
>                 to zone untrust;
> 
>                 rule source-nat-rule {
> 
>                     match {
> 
>                         source-address 0.0.0.0/0;
> 
>                     }
> 
>                     then {
> 
>                         source-nat {
> 
>                             interface;
> 
>                         }
> 
>                     }
> 
>                 }
> 
>             }
> 
>         }
> 
>     }
> 
>     screen {
> 
>         ids-option untrust-screen {
> 
>             icmp {
> 
>                 ping-death;
> 
>             }
> 
>             ip {
> 
>                 source-route-option;
> 
>                 tear-drop;
> 
>             }
> 
>             tcp {
> 
>                 syn-flood {
> 
>                     alarm-threshold 1024;
> 
>                     attack-threshold 200;
> 
>                     source-threshold 1024;
> 
>                     destination-threshold 2048;
> 
>                     timeout 20;
> 
>                 }
> 
>                 land;
> 
>             }
> 
>         }
> 
>     }
> 
>     zones {
> 
>         security-zone trust {
> 
>             host-inbound-traffic {
> 
>                 system-services {
> 
>                     all;
> 
>                 }
> 
>                 protocols {
> 
>                     all;
> 
>                 }
> 
>             }
> 
>             interfaces {
> 
>                 vlan.0 {
> 
>                     host-inbound-traffic {
> 
>                         system-services {
> 
>                             all;
> 
>                         }
> 
>                     }
> 
>                 }
> 
>                 vlan.9 {
> 
>                     host-inbound-traffic {
> 
>                         system-services {
> 
>                             all;
> 
>                         }
> 
>                     }
> 
>                 }
> 
>             }
> 
>         }
> 
>         security-zone untrust {
> 
>             screen untrust-screen;
> 
>             interfaces {
> 
>                 ge-0/0/0.0 {
> 
>                     host-inbound-traffic {
> 
>                         system-services {
> 
>                             dhcp;
> 
>                             tftp;
> 
>                             all;
> 
>                         }
> 
>                         protocols {
> 
>                             all;
> 
>                         }
> 
>                     }
> 
>                 }
> 
>             }
> 
>         }
> 
>     }
> 
>     policies {
> 
>         from-zone trust to-zone untrust {
> 
>             policy trust-to-untrust {
> 
>                 match {
> 
>                     source-address any;
> 
>                     destination-address any;
> 
>                     application any;
> 
>                 }
> 
>                 then {
> 
>                     permit;
> 
>                     count;
> 
>                 }
> 
>             }
> 
>         }
> 
>         from-zone untrust to-zone trust {
> 
>             policy untrust1 {
> 
>                 match {
> 
>                     source-address any;
> 
>                     destination-address any;
> 
>                     application any;
> 
>                 }
> 
>                 then {
> 
>                     permit;
> 
>                     count;
> 
>                 }
> 
>             }
> 
>         }
> 
>     }
> 
> }
> 
> vlans {
> 
>     vlan-trust {
> 
>         vlan-id 3;
> 
>         l3-interface vlan.0;
> 
>     }
> 
>     voz {
> 
>         vlan-id 9;
> 
>         l3-interface vlan.9;
> 
>     }
> 
> }
> 
> 
> 
> 
> 
> acorrea# run show route
> 
> 
> 
> inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
> 
> + = Active Route, - = Last Active, * = Both
> 
> 
> 
> 0.0.0.0/0          *[Static/5] 00:08:42
> 
>                     > to 200.52.93.225 via ge-0/0/0.0
> 
> 20.0.0.0/24        *[Direct/0] 00:01:28
> 
>                     > via vlan.0
> 
> 20.0.0.1/32        *[Local/0] 00:09:00
> 
>                       Local via vlan.0
> 
> 192.168.9.1/32     *[Local/0] 00:09:00
> 
>                       Reject
> 
> x.x.93.224/27   *[Direct/0] 00:08:42
> 
>                     > via ge-0/0/0.0
> 
> x.x.93.227/32   *[Local/0] 00:08:51
> 
>                       Local via ge-0/0/0.0
> 
> 
> 
> acorrea# run show arp
> 
> MAC Address       Address         Name                      Interface
> Flags
> 
> 00:d0:dd:0e:30:0c 20.0.0.2        20.0.0.2                  vlan.0
> none
> 
> 00:04:96:15:8f:30 200.52.93.225   225.93.x.x.in-addr.arp ge-0/0/0.0
> none
> 
> 00:d0:dd:0f:80:00 200.52.93.229   229.93.x.x.in-addr.arp ge-0/0/0.0
> none
> 
> Total entries: 3
> 
> 
> 
> [edit]
> 
> acorrea#
> 
> 
> 
> Interface: ge-0/0/3, Enabled, Link is Up
> 
> Encapsulation: Ethernet, Speed: 1000mbps
> 
> Traffic statistics:                                           Current
> delta
> 
>   Input bytes:                   1364672 (1016000 bps)
> [1327608]  //traffic is received from the source
> 
>   Output bytes:                    41216 (0 bps)
> [4608   // no traffic forwarded to the vlan source
> 
>   Input packets:                    1967 (127 pps)
> [1395]
> 
>   Output packets:                    644 (0 pps)
> [72]
> 
> 
> 
> Interface: ge-0/0/0, Enabled, Link is Up
> 
> Encapsulation: Ethernet, Speed: 1000mbps
> 
> Traffic statistics:                                           Current
> delta
> 
>   Input bytes:                   4809044 (965480 bps)
> [247116          //traffic received from the loopback]
> 
>   Output bytes:                  3452570 (977024 bps)
> [246056]       //traffic sent to loopback
> 
>   Input packets:                    8312 (126 pps)
> [262]
> 
>   Output packets:                   5720 (124 pps)
> [253]
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Stefan Fouant [mailto:sfouant at shortestpathfirst.net]
> Sent: viernes, 29 de abril de 2011 06:29 p.m.
> To: Correa Adolfo; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] SRX240 junos 10.3 nat missbehavior? - [SPAM
> Header] - Character set not allowed
> 
> 
> 
> Show us the configs...
> 
> Stefan Fouant
> GPG Key ID: 0xB4C956EC
> 
> Sent from my HTC EVO.
> 
> ----- Reply message -----
> From: "Correa Adolfo" <acorrea at mcmtelecom.com.mx>
> Date: Fri, Apr 29, 2011 6:55 pm
> Subject: [j-nsp] SRX240 junos 10.3 nat missbehavior?
> To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> 
> ge-0/0/0 is untrust, access to the internet
> 
> 
> 
> ge-0/0/3 and ge-0/0/2 trust, port mode access, vlan "x" id 3, l3 vlan.0
> 
> 
> 
> Source nat configured "source-nat interface"
> 
> 
> 
> Policies "Trust to untrust" and "untrust to trust" any any any permit
> 
> 
> 
> Device on ge-0/0/3 can ping device at ge-0/0/0
> 
> Laptop at ge-0/0/2 can surf the internet and shows correct ge-0/0/0 ip
> when consulted at whatsmyip
> 
> 
> 
> However a l3 throughput test cannot be done neither a rfc2544 between
> device at ge-0/0/3 (loop) and device ge-0/0/0 (source).
> 
> 
> 
> Monitoring interfaces I can see the traffic arriving at ge-0/0/0 but
> not being forwarded to ge-0/0/3, routes are correctly installed as the
> ping and internet surfig shows.
> 
> 
> 
> Any idea?
> 
> 
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 
> MCM Telecom <http://www.mcmtelecom.com.mx>
> Encuéntanos en Facebook <http://www.facebook.com/pages/MCM-
> Telecom/268611905815?ref=ts> 	 Síguenos en Twitter
> <http://twitter.com/mcmtelecom>




More information about the juniper-nsp mailing list