Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: source nat pool and proxy-arp not working

October 15, 2018, 1:11 pm
$
0
0

 

 wrote:

can you configure ip 172.20.15.172 on lo0.0 interface and check if you can ping any address on the wan with src 172.20.15.172 ? 


I tried to configure a loopback interface as suggested:

set interfaces lo0 unit 0 description "Loopback for testing NAT issue using 172.20.15.x as NAT pool"

set interfaces lo0 unit 0 family inet address 172.20.15.172/24

 

I then initiated a ping to the outside:

root@GreatGazoo> ping verbose inet 23.216.159.40 source 172.20.15.172 record-route no-resolve

PING 23.216.159.40 (23.216.159.40): 56 data bytes

 

While monitoring the WAN facing interface (ge-0/0/0):

root@GreatGazoo> monitor traffic interface ge-0/0/0 no-resolve matching "src 172.20.15.172"     

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is OFF.

Listening on ge-0/0/0, capture size 96 bytes

 

19:56:55.594415 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:56:56.597524 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:56:57.599450 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:56:58.603074 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:56:59.604790 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:57:00.606073 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:57:01.607512 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:57:02.609225 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:57:03.610746 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

19:57:04.616081 Out IP truncated-ip - 64 bytes missing! 172.20.15.172 > 23.216.159.40: [|icmp]

 

Clearly the echo request was getting out of the interface (or at least to the point where monitor traffic saw it) but there appears to be not attempt at reply. I'm guessing I may have something else that isn't setup properly? There should not be any firewall filters in between as there are only input filters on ge-0/0/0 and did not see any deny messages.

 

I don't have any routing instances set up but maybe I need to add a security policy to allow the 172.20.15.x out? Since I'm pinging from an inside interface (lo0) that isn't included in any zone, could that be why it's appearing to not leave?

Search
Viewing all articles
Browse latest Browse all 17645
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>