[j-nsp] NAT on SRX with routed IP range
Bill Blackford
bblackford at gmail.com
Sat Feb 7 16:39:54 EST 2015
Be aware that a proxy-arp setting will get installed as a static discard. If you're redistributing statics, this may be a concern. I solved this by adding a term early I'm my export policy rejecting this prefix.
Sent from my iPhone
> On Feb 7, 2015, at 11:27, "Paul Stewart" <paul at paulstewart.org> wrote:
>
> That's been my experience .... proxy arp only on the external.
>
> Paul
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Jonathan Call
> Sent: Friday, February 6, 2015 3:00 PM
> To: Tyler Christiansen
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] NAT on SRX with routed IP range
>
> I've been reading the Juniper documentation and confirmed that the proxy-arp
> statement is only needed when the NAT IP falls within the subnet range of
> the external IP address of the egress interface. It will automatically
> proxy-arp for all else. It also doesn't matter if it is a source, a
> destination or a static NAT.
> In my case, the problem turned out to be a missing route on a third party
> device preventing the traffic from even reaching the SRX.
> Thanks!Date: Wed, 4 Feb 2015 14:16:02 -0800
> Subject: Re: [j-nsp] NAT on SRX with routed IP range
> From: tyler at adap.tv
> To: lordsith49 at hotmail.com
> CC: juniper-nsp at puck.nether.net
>
> Nope. It's been a while, but I just reviewed our configuration, we removed
> proxy-arp at some point. Suppose it turns out proxy-arp wasn't needed.
> We also have security policy configuration like this:
>> show configuration security policies from-zone untrust to-zone trust
>> policy <name> {
> match { source-address <Allowed external address>;
> destination-address <internal RFC1918 IP>; application [ <list of
> ports/applications> ]; } then { permit; }}
> If you want to make the NAT work for any outside source, you could just set
> source-address to any.
>
>
> On Wed, Feb 4, 2015 at 2:00 PM, Jonathan Call <lordsith49 at hotmail.com>
> wrote:
> I'm in the process of rewriting it all as a static NAT right now.
>
> Are you applying any IP from routed block to your external interface?
> Reading the rules of proxy-arp suggests that IP range needs to reside on the
> external interface.
>
> Thanks,
>
> JonathanDate: Wed, 4 Feb 2015 13:52:00 -0800
>
> Subject: Re: [j-nsp] NAT on SRX with routed IP range
>
> From: tyler at adap.tv
>
> To: lordsith49 at hotmail.com
>
> CC: juniper-nsp at puck.nether.net
>
>
>
> Ah, sorry, I misunderstood. We're using static NAT. Here's a short
> example.
>
>> show configuration security nat static rule-set static-NATs from zone
> untrust;rule <name> { match { destination-address <external routed
> destination>; destination-port <external port>; } then {
> static-nat { prefix { <real host>;
> mapped-port <real port>; } } }}
>
>
>
>
>
>
>
> On Wed, Feb 4, 2015 at 1:08 PM, Jonathan Call <lordsith49 at hotmail.com>
> wrote:
>
>
>
>
>
>
>
> I added a proxy-arp enty:
>
> source {rule-set my-lab-internal {from zone lab-internal;to zone
> untrust;rule my-lab-inet {match {source-address192.168.2.0/26;}then
> {source-nat {interface;}}}}}destination {pool lab-plasma {address
> 192.168.2.2/32 port 8080;}rule-set lab-nats {from zone untrust;rule
> lab-plasma-1 {match {destination-address 4.5.32.16/32;destination-port
> 8080;} then {destination-nat pool lab-plasma;}}}}proxy-arp {interface
> reth0.0 {address {4.5.32.16/32;}}}
>
> The translation hit counter from 'show security nat destination rule all'
> does not increment so I'm still not hitting the NAT rule. I have the
> appropriate security policy rules between the untrust and lab-internal zones
> to allow 8080 inbound and anything outbound.
>
> Jonathan
>
>
>
> Date: Wed, 4 Feb 2015 11:45:26 -0800
>
> Subject: Re: [j-nsp] NAT on SRX with routed IP range
>
> From: tyler at adap.tv
>
> To: lordsith49 at hotmail.com
>
> CC: juniper-nsp at puck.nether.net
>
>
>
> We use routed ranges to NAT a few hosts. The key for us was configuring
> proxy-arp on the untrust interface for the IPs.
>
> On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com>
> wrote:
>
> I've seen plenty of examples of a static NAT where the SRX has a public IP
> range on the untrusted interface. I have not found a good one for when the
> SRX has an IP range routed to it.
>
>
>
> SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface)
> 4.5.32.16/28Trusted zone: 192.168.2.1/26
>
>
>
> show configuration security nat (hopefully this will display properly)
>
>
>
> source { rule-set my-lab-internal { from zone lab-internal;
> to zone untrust; rule my-lab-inet { match {
> source-address 192.168.2.0/26; } then {
> source-nat { interface; } }
> } }}destination { pool lab-plasma { address 192.168.2.2/32 port
> 8080; } rule-set lab-nats { from zone untrust; rule
> lab-plasma-1 { match { destination-address
> 4.5.32.16/32; destination-port 8080; }
> then { destination-nat pool lab-plasma; } }
> }}
>
>
>
> The result of this configuration is that no NAT occurs. But if I change the
> destination-address to the SRX's external IP (4.5.6.60) it works just fine.
>
>
>
> Jonathan
>
>
>
> _______________________________________________
>
>
>
> juniper-nsp mailing list juniper-nsp at puck.nether.net
>
>
>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> juniper-nsp mailing list juniper-nsp at puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list