Hi, newbie here!. im having a little bit trouble when im trying to configuring NAT in Juniper SRX. i have 1 ip public and 1 ip private (the description about the ip is in picture that im attach in). please help me how to config this nat policy. thank you very much
↧
SRX NAT Configuration in 2 IP and 2 Ports
↧
Re: SRX NAT Configuration in 2 IP and 2 Ports
up
↧
↧
Re: SRX NAT Configuration in 2 IP and 2 Ports
Please refer to KB15758 - SRX Getting Started - Configure NAT (Network Address Translation)
https://kb.juniper.net/KB15758
https://kb.juniper.net/KB15758
↧
Re: Is it SRX5k support icap feature?
Hello,
ICAP support is released on JUNOS 18.1:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html
↧
Re: SRX100 and Unifi AP - 2 subnets on 1 interface required
I'm rfering to point 2 you mentioned:
2. Interfaces vlan.1 and vlan.4 have addresses within the same subnet. You probably don’t want this, and it may not commit. If it does, you might have some unexpected results.
yes I am aware they are on the same subnet but that was stated in my original question. I want devices connected to vlan.4 to be able to communicate with office network/servers on 192.168.1.254/24 subnet.
In this case should I keep these 2 vlans on interface fe-0/0/7 (vlan.3 and vlan.4) or leave this interface in vlan.1 for untagged packets to be sent to my Unifi AP and then have only 1 vlan on on this interface for subnet 10.0.20.0/24 for Home wifi?
↧
↧
Re: SRX100 and Unifi AP - 2 subnets on 1 interface required
I just realised that I don't have to have Office vlan.4 on teh same subnet as vlan.1 is for them to be able to comunicate. I can just create policies to allow traffic.
↧
SSH to FXP0
I can't ssh to FXP0 interface. Here is my configuration
set groups node0 interfaces fxp0 unit 0 family inet address 10.0.0.1/24
set groups node0 system services ssh
set groups node1 system host-name SRX-secondary
set groups node1 interfaces fxp0 unit 0 family inet address 10.0.0.2/24
set groups node1 system services ssh
set apply-groups "${node}"
ping is success but when i try to ssh, it seems like connection doesn't esatablish
↧
Re: Is it SRX5k support icap feature?
I was only familiar with this older offering on ScreenOS which is icap AV only.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB9414
↧
Re: IPv6 static route not working
I think you have interface ge-0/0/9 misconfigured. It looks like this should be a routed link where you can access the next hop for your default ipv6 route
set routing-options rib inet6.0 static route ::/0 next-hop 2610:20:900c:4003::4
But the routing table only has this as a /128. To reach the next hop this has to be at least a /127 to see the next hop
2610:20:900c:4003::5/128
*[Direct/0] 56w6d 16:02:41> via ge-0/0/9.0
[Local/0] 78w5d 21:40:01
Local via ge-0/0/9.0Without the next hop reachable the route will not install.
↧
↧
unable to ssh from outside
I am unable to ssh from outside but internally i can login to srx210 device
ge-0/0/0 untrust
ge-0/0/1 trust
------------------------- Security Zones -------------------------------------
root@# show security zones
security-zone Internal {
address-book {
address addr_192_168_2_0_24 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
ping;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
http;
ssh;
}
}
}
}
}
security-zone Internet {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
security-zone corp-vpn {
address-book {
address net-cfgr_192-168-5-0--24 192.168.5.0/24;
}
}
---------------------------------------------------------------------------------------------------------------------------------------------------
root@ochyd> show security zones
Security zone: Internal
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: Internet
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
↧
Re: SRX100 and Unifi AP - 2 subnets on 1 interface required
Ok, I addressed all your suggestions. Plese see config attached.
The problem I'm having now is that dhcp service I created on vlan.3 is not distributing ip addresses to clients. Any idea why?
Also, I am unable to create another DHCP server or vlan.4 . Afer running below ommand to add dhhp on vlan.4, dhcp pool is being added to vlan.3. Any idea why?
set system services dhcp pool 192.168.10.0/24 address-range low 192.168.10.10
set system services dhcp pool 192.168.10.0/24 address-range high 192.168.10.199
set system services dhcp pool 192.168.10.0/24 router 192.168.10.1
set system services dhcp propagate-settings vlan.3
I then tried having two dhcp pools on fe-0/0/7 interface but that didn't work either.
Another problem; even after assigning static ip address in 10.0.20.0/24 sunet to my laptop I was unable to connect to the internet so I think there is some problem with nat policies.
Any problem with the config or I should look elswere (switch/WAP) for problems?
↧
Re: SRX100 and Unifi AP - 2 subnets on 1 interface required
I'm not sure I understand the reasoning for both "vlan1" and "Home", if they need to be on the same subnet, why not use a single VLAN/zone?
I haven't used the "old" method for configuring DHCP in a while, the "new style" DHCP config would look something like this:
set system services dhcp-local-server group DHCP interface vlan.20
set system services dhcp-local-server group DHCP interface vlan.22
set access address-assignment pool Home family inet network 192.168.20.0/24
set access address-assignment pool Home family inet range RANGE-20 low 192.168.20.1
set access address-assignment pool Home family inet range RANGE-20 high 192.168.20.199
set access address-assignment pool Home family inet dhcp-attributes server-identifier 192.168.20.254
set access address-assignment pool Home family inet dhcp-attributes domain-name home.com
set access address-assignment pool Home family inet dhcp-attributes name-server 192.168.20.223
set access address-assignment pool Home family inet dhcp-attributes router 192.168.20.254
set access address-assignment pool Lab family inet network 172.22.0.0/24
set access address-assignment pool Lab family inet range RANGE-172-22-0 low 172.22.0.50
set access address-assignment pool Lab family inet range RANGE-172-22-0 high 172.22.0.99
set access address-assignment pool Lab family inet dhcp-attributes server-identifier 172.22.0.254
set access address-assignment pool Lab family inet dhcp-attributes domain-name lab.com
set access address-assignment pool Lab family inet dhcp-attributes name-server 208.67.222.222
set access address-assignment pool Lab family inet dhcp-attributes name-server 208.67.220.220
set access address-assignment pool Lab family inet dhcp-attributes router 172.22.0.254
As for your NAT config, you've done it a little different than I normally would...
set security nat source rule-set Home_to_untrust from zone Home
set security nat source rule-set Home_to_untrust to zone untrust
set security nat source rule-set Home_to_untrust rule src-nat-Home match source-address 0.0.0.0/0
set security nat source rule-set Home_to_untrust rule src-nat-Home then source-nat interface
set security nat source rule-set Lab_to_untrust from zone Lab
set security nat source rule-set Lab_to_untrust to zone untrust
set security nat source rule-set Lab_to_untrust rule src-nat-Lab match source-address 0.0.0.0/0
set security nat source rule-set Lab_to_untrust rule src-nat-Lab then source-nat interface
↧
Re: IPv6 static route not working
So changing the configuration for ge-0/0/9 from /128 to /127 did it. Once that was committed the static route showed up.
This change makes a lot of sense when thinking about the subnets but not knowing IPv6 very well I definitally missed it, though I didn't set it up in the first place.
Thanks for the assist spuluka.
↧
↧
Re: IPv6 static route not working
Glad you have it working now.
↧
Re: unable to ssh from outside
So far the config looks good. Are you doing any destination nat port forwarding that might be interfering with the ip access to the SRX interface address?
↧
Re: SSH to FXP0
do you have ssh enabled under system > services
↧
Re: SRX NAT Configuration in 2 IP and 2 Ports
This requires a NAT translation rule and a security policy.
You would also need proxy arp if the public address is NOT the interface address but IS in the same subnet.
[edit security nat destination]
set pool dst-nat-pool address 10.1.1.1 port 4043
set rule-set rs1 from zone untrust
set rule-set rs1 rule r2 match destination-address 114.1.1.101
set rule-set rs1 rule r2 match destination-port 443
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool
[edit security]
set zones security-zone trust address-book address server 10.1.1.1/32
[edit security policies from-zone untrust to-zone trust]
set policy server-access match source-address any destination-address server
application any
set policy server-access then permit
see pages 8 and following here for more detail
https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
↧
↧
Re: SSH to FXP0
whats the error you get? Are you trying from 10.0.0.0/24 subnet different? If its a different subnet then the possibility of assymetric routing. Please share "show route a.b.c.d" - a.b.c.d is your source IP from where telnet is originated.
↧
Re: unable to ssh from outside
root@> show security nat source pool all
Total pools: 0
root@> show security nat destination pool all
Total destination-nat pools: 0
----------------------------------------------------------------------------------------
root@> show security nat destination summary
Total pools: 0
Total rules: 0
root@> show security nat source summary
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 67108864
Total pools: 0
Total rules: 1
Rule name Rule set From To Action
nsw-src-interface nsw_srcnat Internal Internet interface
↧
Re: unable to ssh from outside
Hi,
Please add below command
set system services ssh
↧