Edit Feb 4 The issue remains relevant, any help appreciated.
Once again, I'm not a network engineer, so this must be a noob question.
Simple task: I have a server in my private network and I need to make it accessible from the public network.
After some googling i found this guide on Juniper site (Configuring Static NAT for Single Address Translation). I did as the guide says, but still can't access my server (ping fails).
Can someone point out where is the error in my configuration.
Also, should I be able to ping from SRX CLI to translated ip (10.129.166.135). I think it should work, but right now it doesn't.
Commands:
set security nat destination pool DestinationNatVideo address 192.168.3.100/32
set security nat destination rule-set RuleSetVideo from interface ge-0/0/0.0
set security nat destination rule-set RuleSetVideo rule r1 match destination-address 10.129.166.135/32
set security nat destination rule-set RuleSetVideo rule r1 then destination-nat pool DestinationNatVideo
set security address-book global address VideoReceiver 192.168.3.100/32
set security policies from-zone wan to-zone trust policy server-access match source-address any
set security policies from-zone wan to-zone trust policy server-access match destination-address VideoReceiver
set security policies from-zone wan to-zone trust policy server-access match application any
set security policies from-zone wan to-zone trust policy server-access then permit
Full config
version 11.2R4.3;
system {
ports {
console {
log-out-on-disconnect;
type vt100;
}
}
name-server {
10.128.1.22;
10.128.1.23;
8.8.8.8;
}
services {
ssh {
root-login allow;
}
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
pool 172.16.30.0/24 {
address-range low 172.16.30.2 high 172.16.30.254;
name-server {
10.128.1.22;
10.128.1.23;
8.8.8.8;
}
router {
172.16.30.1;
}
}
pool 172.16.40.0/24 {
address-range low 172.16.40.2 high 172.16.40.254;
name-server {
10.128.1.22;
10.128.1.23;
8.8.8.8;
}
router {
172.16.40.1;
}
}
pool 172.16.10.0/24 {
address-range low 172.16.10.2 high 172.16.10.254;
name-server {
10.128.1.22;
10.128.1.23;
8.8.8.8;
}
router {
172.16.10.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
speed 100m;
link-mode full-duplex;
unit 0 {
family ethernet-switching {
vlan {
members wan;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust all ];
}
native-vlan-id 1;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust all ];
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust all ];
}
native-vlan-id 10;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust all ];
}
native-vlan-id 10;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet;
}
unit 10 {
family inet {
address 172.16.10.1/24;
}
}
unit 20 {
family inet {
address 172.16.20.1/24;
}
}
unit 30 {
family inet {
address 172.16.30.1/24;
}
}
unit 40 {
family inet {
address 172.16.40.1/24;
}
}
unit 50 {
family inet {
address 172.16.50.1/24;
}
}
unit 60 {
family inet {
address 192.168.3.1/24;
}
}
unit 100 {
family inet {
address 10.129.166.132/25;
}
}
}
}
snmp {
client-list ss;
community school-ro {
authorization read-only;
clients {
10.143.255.2/32;
10.143.255.6/32;
10.143.255.10/32;
10.143.255.14/32;
10.143.255.42/32;
10.136.7.5/32;
}
}
trap-options;
trap-group ESMA {
categories {
authentication;
chassis;
remote-operations;
routing;
startup;
rmon-alarm;
vrrp-events;
configuration;
services;
chassis-cluster;
}
targets {
10.143.255.2;
10.143.255.6;
10.143.255.10;
10.143.255.14;
10.143.255.42;
10.136.7.5;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.129.166.129;
}
}
protocols {
stp;
}
security {
address-book {
global {
address VideoReceiver 192.168.3.100/32;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-wan {
from zone trust;
to zone wan;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DestinationNatVideo {
address 192.168.3.100/32;
}
rule-set RuleSetVideo {
from interface ge-0/0/0.0;
rule r1 {
match {
destination-address 10.129.166.135/32;
}
then {
destination-nat pool DestinationNatVideo;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
10.129.166.135/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone wan {
policy internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone wan to-zone trust {
policy server-access {
match {
source-address any;
destination-address VideoReceiver;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.10;
vlan.30;
vlan.40;
vlan.60;
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone wan {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.100;
}
}
}
}
vlans {
management {
vlan-id 10;
l3-interface vlan.10;
}
private-eth {
vlan-id 20;
l3-interface vlan.20;
}
private-wifi {
vlan-id 40;
l3-interface vlan.40;
}
public-eth {
vlan-id 30;
l3-interface vlan.30;
}
public-wifi {
vlan-id 50;
l3-interface vlan.50;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.60;
}
wan {
vlan-id 100;
l3-interface vlan.100;
}
}
Best Answer
Do you need the server to also access the public network or only reply to requests from the public network? On the first case you use static nat (bidirectional NAT), on the second you use destination nat.
Regarding your ping tests you're trying to ping an IP that, due to the proxy-arp config, is configured to respond only from the ge-0/0/0 interface. Maybe you could try to ping it like this:
ping 10.129.166.135 source 10.129.166.132, but I'd recommend to reconfigure the "natted" IP to the server since it will be easier to troubleshoot.I also noticed that the vlan.60 interface is not configured in the trust zone, so besides other issues, all the traffic to/from the vlan.60 subnet will be blocked and the nat config won't be applied.
As a side note, I have no idea what type of public network you're connected to but the host-inbound-traffic configuration on the wan security zone should be reduced to the absolute minimum or, if possible, removed as this only controls the traffic to the firewall itself (for example, to allow a ssh connection or to ping the firewall from the public network).
proposed solution with destination nat + port-forward
This example/solution will use the address of the wan interface and map a port (5000) to the port 22 (ssh) of the internal address:
You can also remove this
set security nat destination pool DestinationNatVideo address port 22and it should map the port 5000 to all services of the internal IP (it's better to map one port per service instead of leaving everything open/connectable).The version that's installed in your device is a bit old and maybe it doesn't support nat very well (or just some parts of it) so YMMV.