[j-nsp] SRX Static NAT - Not working in both directions

Oliver Garraux oliver at g.garraux.net
Mon Sep 10 02:47:48 EDT 2012


Hey,

I wasn't using a routing instance.  I had previously removed all of
the other NAT rule-sets.

Something was interfering with the static NAT config though.  I
removed all of my security configuration, along with some extraneous
other parts of the config that weren't needed for what I'm trying to
do here, reconfigured the zones, security policies, and static NAT,
and everything works as expected now.  Not sure exactly what was
causing the strange behavior before.

Thanks for your help everyone,

Oliver

-------------------------------------

Oliver Garraux
Check out my blog:  www.GetSimpliciti.com/blog
Follow me on Twitter:  twitter.com/olivergarraux


On Sat, Sep 8, 2012 at 6:43 PM, ashish verma <ashish.scit at gmail.com> wrote:
> are you using routing instance?
>
>
> On Sat, Sep 8, 2012 at 11:01 AM, Patrick Dickey <dickeypjeep at yahoo.com>
> wrote:
>>
>> I'm a little confused here. Where does the 192.168.17.16 network reside?
>>
>> The static NAT will only NAT the 192.168.35.200 IP when its initiating
>> traffic to the FROM zone in the static NAT configuration, not just
>> generally.
>> What does a flow from the 192.168.32.x/24 network look like when trying to
>> get to the 192.168.35.200 (or 192.168.32.5). How about in the reverse?
>>
>> Patrick
>>
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net
>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Oliver Garraux
>> Sent: Friday, September 07, 2012 5:08 PM
>> To: Brent Jones
>> Cc: juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] SRX Static NAT - Not working in both directions
>>
>> Brent, Patrick,
>>
>> Thanks for the replies.
>>
>> When I change the rule-set to apply to traffic from the user zone, I'm
>> seeing the same behavior.  The source address on traffic from the desktop
>> (192.168.35.200) out to the rest of the network isn't being NAT'ed.  I
>> also
>> can't initiate connections to 192.168.32.5 from the rest of my network.
>>
>> I've also tried putting both the user and trust zones in the rule-set.
>>  In that scenario, I can connect to 192.168.32.5 from outside, but the
>> outgoing traffic from 192.168.35.200 still isn't NAT'ed.
>>
>> Thanks,
>>
>> Oliver
>>
>> -------------------------------------
>>
>> Oliver Garraux
>> Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:
>> twitter.com/olivergarraux
>>
>>
>> On Fri, Sep 7, 2012 at 5:34 PM, Brent Jones <brent at brentrjones.com> wrote:
>> > Try to apply the static NAT policy to zone 'user' and see how that goes.
>> >
>> > On Fri, Sep 7, 2012 at 12:22 PM, Oliver Garraux <oliver at g.garraux.net>
>> wrote:
>> >> Hey,
>> >>
>> >> I recently bought an SRX and have been trying the different NAT
>> >> configuration options to become more familar with JunOS.
>> >>
>> >> Static NAT isn't operating quite as I'd expect from the documentation.
>> >>  My understanding is that static NAT should be bidirectional, in that
>> >> it should translate connections going in both directions.
>> >>
>> >> I'm using 192.168.32.0/24 on the interface connected to the rest of
>> >> my network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
>> >> ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
>> >> zone.
>> >>
>> >> static {
>> >>     rule-set user_to_trust {
>> >>         from zone trust;
>> >>         rule desktop1 {
>> >>             match {
>> >>                 destination-address 192.168.32.5/32;
>> >>             }
>> >>             then {
>> >>                 static-nat prefix 192.168.35.200/32;
>> >>             }
>> >>         }
>> >>     }
>> >> }
>> >> proxy-arp {
>> >>     interface ge-0/0/0.100 {
>> >>         address {
>> >>             192.168.32.5/32;
>> >>         }
>> >>     }
>> >> }
>> >>
>> >>
>> >> I'm only seeing it translate connections coming in to the destination
>> >> address (192.168.32.5).  The source address on connections initiated
>> >> by the "static-nat" address (192.168.35.200 - the address on the
>> >> desktop sitting behind my SRX) are not being translated to
>> >> 192.168.32.5.  Am I misunderstanding how static NAT works?
>> >>
>> >> I've tried using an IP that is routed to the SRX (where no proxy-arp
>> >> should have been required in that situation).  I also don't see the
>> >> address being translated when I look at these flows in "show security
>> >> flow session", so I don't think this is an issue with proxy-arp.  I'm
>> >> permitting all traffic between the "user" and "trust" zones (in both
>> >> directions) in my security policies.
>> >>
>> >> Here's one of the flow entries when I try to ping from 192.168.35.200
>> >> to 192.168.17.16
>> >>
>> >> Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
>> >>   In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
>> >> Pkts: 1, Bytes: 60
>> >>   Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
>> >> ge-0/0/0.100, Pkts: 0, Bytes: 0
>> >>
>> >> Any ideas?
>> >>
>> >> Thanks,
>> >>
>> >> Oliver
>> >>
>> >> -------------------------------------
>> >>
>> >> Oliver Garraux
>> >> Check out my blog:  www.GetSimpliciti.com/blog Follow me on Twitter:
>> >> twitter.com/olivergarraux
>> >> _______________________________________________
>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>> >
>> >
>> > --
>> > Brent Jones
>> > brent at brentrjones.com
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>


More information about the juniper-nsp mailing list