[j-nsp] NAT on SRX with routed IP range

Paul Stewart paul at paulstewart.org
Sat Feb 7 14:27:10 EST 2015 

That's been my experience .... proxy arp only on the external.

Paul


-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Jonathan Call
Sent: Friday, February 6, 2015 3:00 PM
To: Tyler Christiansen
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] NAT on SRX with routed IP range

I've been reading the Juniper documentation and confirmed that the proxy-arp
statement is only needed when the  NAT IP falls within the subnet range of
the external IP address of the egress interface. It will automatically
proxy-arp for all else. It also doesn't matter if it is a source, a
destination or a static NAT.
In my case, the problem turned out to be a missing route on a third party
device preventing the traffic from even reaching the SRX.
Thanks!Date: Wed, 4 Feb 2015 14:16:02 -0800
Subject: Re: [j-nsp] NAT on SRX with routed IP range
From: tyler at adap.tv
To: lordsith49 at hotmail.com
CC: juniper-nsp at puck.nether.net

Nope.  It's been a while, but I just reviewed our configuration, we removed
proxy-arp at some point.  Suppose it turns out proxy-arp wasn't needed.
We also have security policy configuration like this:
> show configuration security policies from-zone untrust to-zone trust 
> policy <name> {
    match {        source-address <Allowed external address>;
destination-address <internal RFC1918 IP>;        application [ <list of
ports/applications> ];    }    then {        permit;    }}
If you want to make the NAT work for any outside source, you could just set
source-address to any.


On Wed, Feb 4, 2015 at 2:00 PM, Jonathan Call <lordsith49 at hotmail.com>
wrote:
I'm in the process of rewriting it all as a static NAT right now.

Are you applying any IP from routed block to your external interface?
Reading the rules of proxy-arp suggests that IP range needs to reside on the
external interface.

Thanks,

JonathanDate: Wed, 4 Feb 2015 13:52:00 -0800

Subject: Re: [j-nsp] NAT on SRX with routed IP range

From: tyler at adap.tv

To: lordsith49 at hotmail.com

CC: juniper-nsp at puck.nether.net



Ah, sorry, I misunderstood.  We're using static NAT.  Here's a short
example.

> show configuration security nat static rule-set static-NATs    from zone
untrust;rule <name> {    match {        destination-address <external routed
destination>;        destination-port <external port>;    }    then {
static-nat {            prefix {                <real host>;
mapped-port <real port>;            }        }    }}







On Wed, Feb 4, 2015 at 1:08 PM, Jonathan Call <lordsith49 at hotmail.com>
wrote:







I added a proxy-arp enty:

source {rule-set my-lab-internal {from zone lab-internal;to zone
untrust;rule my-lab-inet {match {source-address192.168.2.0/26;}then
{source-nat {interface;}}}}}destination {pool lab-plasma {address
192.168.2.2/32 port 8080;}rule-set lab-nats {from zone untrust;rule
lab-plasma-1 {match {destination-address 4.5.32.16/32;destination-port
8080;} then {destination-nat pool lab-plasma;}}}}proxy-arp {interface
reth0.0 {address {4.5.32.16/32;}}}

The translation hit counter from 'show security nat destination rule all'
does not increment so I'm still not hitting the NAT rule. I have the
appropriate security policy rules between the untrust and lab-internal zones
to allow 8080 inbound and anything outbound.

Jonathan



Date: Wed, 4 Feb 2015 11:45:26 -0800

Subject: Re: [j-nsp] NAT on SRX with routed IP range

From: tyler at adap.tv

To: lordsith49 at hotmail.com

CC: juniper-nsp at puck.nether.net



We use routed ranges to NAT a few hosts.  The key for us was configuring
proxy-arp on the untrust interface for the IPs.

On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com>
wrote:

I've seen plenty of examples of a static NAT where the SRX has a public IP
range on the untrusted interface. I have not found a good one for when the
SRX has an IP range routed to it.



SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface)
4.5.32.16/28Trusted zone: 192.168.2.1/26



show configuration security nat (hopefully this will display properly)



source {    rule-set my-lab-internal {        from zone lab-internal;
to zone untrust;        rule my-lab-inet {            match {
source-address 192.168.2.0/26;            }            then {
source-nat {                    interface;                }            }
}    }}destination {    pool lab-plasma {        address 192.168.2.2/32 port
8080;    }    rule-set lab-nats {        from zone untrust;        rule
lab-plasma-1 {            match {                destination-address
4.5.32.16/32;                destination-port 8080;            }
then {                destination-nat pool lab-plasma;            }        }
}}



The result of this configuration is that no NAT occurs. But if I change the
destination-address to the SRX's external IP (4.5.6.60) it works just fine.



Jonathan



_______________________________________________



juniper-nsp mailing list juniper-nsp at puck.nether.net



https://puck.nether.net/mailman/listinfo/juniper-nsp











_______________________________________________

juniper-nsp mailing list juniper-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/juniper-nsp


 		 	   		  
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list