[j-nsp] SRX Static NAT - Not working in both directions

ashish verma ashish.scit at gmail.com
Sat Sep 8 18:43:57 EDT 2012 

are you using routing instance?


On Sat, Sep 8, 2012 at 11:01 AM, Patrick Dickey <dickeypjeep at yahoo.com>wrote:

> I'm a little confused here. Where does the 192.168.17.16 network reside?
>
> The static NAT will only NAT the 192.168.35.200 IP when its initiating
> traffic to the FROM zone in the static NAT configuration, not just
> generally.
> What does a flow from the 192.168.32.x/24 network look like when trying to
> get to the 192.168.35.200 (or 192.168.32.5). How about in the reverse?
>
> Patrick
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Oliver Garraux
> Sent: Friday, September 07, 2012 5:08 PM
> To: Brent Jones
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] SRX Static NAT - Not working in both directions
>
> Brent, Patrick,
>
> Thanks for the replies.
>
> When I change the rule-set to apply to traffic from the user zone, I'm
> seeing the same behavior.  The source address on traffic from the desktop
> (192.168.35.200) out to the rest of the network isn't being NAT'ed.  I also
> can't initiate connections to 192.168.32.5 from the rest of my network.
>
> I've also tried putting both the user and trust zones in the rule-set.
>  In that scenario, I can connect to 192.168.32.5 from outside, but the
> outgoing traffic from 192.168.35.200 still isn't NAT'ed.
>
> Thanks,
>
> Oliver
>
> -------------------------------------
>
> Oliver Garraux
> Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:
> twitter.com/olivergarraux
>
>
> On Fri, Sep 7, 2012 at 5:34 PM, Brent Jones <brent at brentrjones.com> wrote:
> > Try to apply the static NAT policy to zone 'user' and see how that goes.
> >
> > On Fri, Sep 7, 2012 at 12:22 PM, Oliver Garraux <oliver at g.garraux.net>
> wrote:
> >> Hey,
> >>
> >> I recently bought an SRX and have been trying the different NAT
> >> configuration options to become more familar with JunOS.
> >>
> >> Static NAT isn't operating quite as I'd expect from the documentation.
> >>  My understanding is that static NAT should be bidirectional, in that
> >> it should translate connections going in both directions.
> >>
> >> I'm using 192.168.32.0/24 on the interface connected to the rest of
> >> my network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
> >> ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
> >> zone.
> >>
> >> static {
> >>     rule-set user_to_trust {
> >>         from zone trust;
> >>         rule desktop1 {
> >>             match {
> >>                 destination-address 192.168.32.5/32;
> >>             }
> >>             then {
> >>                 static-nat prefix 192.168.35.200/32;
> >>             }
> >>         }
> >>     }
> >> }
> >> proxy-arp {
> >>     interface ge-0/0/0.100 {
> >>         address {
> >>             192.168.32.5/32;
> >>         }
> >>     }
> >> }
> >>
> >>
> >> I'm only seeing it translate connections coming in to the destination
> >> address (192.168.32.5).  The source address on connections initiated
> >> by the "static-nat" address (192.168.35.200 - the address on the
> >> desktop sitting behind my SRX) are not being translated to
> >> 192.168.32.5.  Am I misunderstanding how static NAT works?
> >>
> >> I've tried using an IP that is routed to the SRX (where no proxy-arp
> >> should have been required in that situation).  I also don't see the
> >> address being translated when I look at these flows in "show security
> >> flow session", so I don't think this is an issue with proxy-arp.  I'm
> >> permitting all traffic between the "user" and "trust" zones (in both
> >> directions) in my security policies.
> >>
> >> Here's one of the flow entries when I try to ping from 192.168.35.200
> >> to 192.168.17.16
> >>
> >> Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
> >>   In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
> >> Pkts: 1, Bytes: 60
> >>   Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
> >> ge-0/0/0.100, Pkts: 0, Bytes: 0
> >>
> >> Any ideas?
> >>
> >> Thanks,
> >>
> >> Oliver
> >>
> >> -------------------------------------
> >>
> >> Oliver Garraux
> >> Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:
> >> twitter.com/olivergarraux
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> > --
> > Brent Jones
> > brent at brentrjones.com
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list