[j-nsp] SRX Static NAT - Not working in both directions

Patrick Dickey dickeypjeep at yahoo.com
Fri Sep 7 21:01:30 EDT 2012 

I'm a little confused here. Where does the 192.168.17.16 network reside?

The static NAT will only NAT the 192.168.35.200 IP when its initiating
traffic to the FROM zone in the static NAT configuration, not just
generally. 
What does a flow from the 192.168.32.x/24 network look like when trying to
get to the 192.168.35.200 (or 192.168.32.5). How about in the reverse? 

Patrick

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Oliver Garraux
Sent: Friday, September 07, 2012 5:08 PM
To: Brent Jones
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX Static NAT - Not working in both directions

Brent, Patrick,

Thanks for the replies.

When I change the rule-set to apply to traffic from the user zone, I'm
seeing the same behavior.  The source address on traffic from the desktop
(192.168.35.200) out to the rest of the network isn't being NAT'ed.  I also
can't initiate connections to 192.168.32.5 from the rest of my network.

I've also tried putting both the user and trust zones in the rule-set.
 In that scenario, I can connect to 192.168.32.5 from outside, but the
outgoing traffic from 192.168.35.200 still isn't NAT'ed.

Thanks,

Oliver

-------------------------------------

Oliver Garraux
Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:
twitter.com/olivergarraux


On Fri, Sep 7, 2012 at 5:34 PM, Brent Jones <brent at brentrjones.com> wrote:
> Try to apply the static NAT policy to zone 'user' and see how that goes.
>
> On Fri, Sep 7, 2012 at 12:22 PM, Oliver Garraux <oliver at g.garraux.net>
wrote:
>> Hey,
>>
>> I recently bought an SRX and have been trying the different NAT 
>> configuration options to become more familar with JunOS.
>>
>> Static NAT isn't operating quite as I'd expect from the documentation.
>>  My understanding is that static NAT should be bidirectional, in that 
>> it should translate connections going in both directions.
>>
>> I'm using 192.168.32.0/24 on the interface connected to the rest of 
>> my network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
>> ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
>> zone.
>>
>> static {
>>     rule-set user_to_trust {
>>         from zone trust;
>>         rule desktop1 {
>>             match {
>>                 destination-address 192.168.32.5/32;
>>             }
>>             then {
>>                 static-nat prefix 192.168.35.200/32;
>>             }
>>         }
>>     }
>> }
>> proxy-arp {
>>     interface ge-0/0/0.100 {
>>         address {
>>             192.168.32.5/32;
>>         }
>>     }
>> }
>>
>>
>> I'm only seeing it translate connections coming in to the destination 
>> address (192.168.32.5).  The source address on connections initiated 
>> by the "static-nat" address (192.168.35.200 - the address on the 
>> desktop sitting behind my SRX) are not being translated to 
>> 192.168.32.5.  Am I misunderstanding how static NAT works?
>>
>> I've tried using an IP that is routed to the SRX (where no proxy-arp 
>> should have been required in that situation).  I also don't see the 
>> address being translated when I look at these flows in "show security 
>> flow session", so I don't think this is an issue with proxy-arp.  I'm 
>> permitting all traffic between the "user" and "trust" zones (in both
>> directions) in my security policies.
>>
>> Here's one of the flow entries when I try to ping from 192.168.35.200 
>> to 192.168.17.16
>>
>> Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
>>   In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
>> Pkts: 1, Bytes: 60
>>   Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
>> ge-0/0/0.100, Pkts: 0, Bytes: 0
>>
>> Any ideas?
>>
>> Thanks,
>>
>> Oliver
>>
>> -------------------------------------
>>
>> Oliver Garraux
>> Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:  
>> twitter.com/olivergarraux 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> Brent Jones
> brent at brentrjones.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list