Re: SRX VPN tunnel with NAT to the Internet
I can ping the 172.17.1.1 from the 172.16.12.x network. I can ping 172.17.1.2, which is connected to ge-0/0/2, from this SRX. I cannot ping 172.17.1.2 from the 172.16.12.x network.
View ArticleRe: SRX VPN tunnel with NAT to the Internet
Ok. Can you ping 172.17.1.1 from a host on the 172.17.1.0/24 network? From the same host on the 172.17.1.0/24 network, can you do tracert to, say, www.google.com ? Take a look at the following article...
View ArticleRe: SRX VPN tunnel with NAT to the Internet
I can ping from 172.17.1.0/24 to 172.17.1.1 I cannot trace beyond 172.17.1.1.
View ArticleRe: SRX VPN tunnel with NAT to the Internet
Look on the bright side: your policies are correct, and NAT is correct. Is there any chance you can capture the traffic on 172.17.1.3 so we can see if you're getting the return traffic properly?
View ArticleRe: SRX VPN tunnel with NAT to the Internet
Also, which model SRX and software version are you running?
View ArticleTraffic hair-pinning with static NAT
Hi, guys, I have a not-so-standard request from our application team, please refer to the following topoloyg: HostA (192.168.0.1/24), HostB(192.168.0.2/24) -----> (SRX trusted interface...
View ArticleRe: Traffic hair-pinning with static NAT
You said "not yet" in there, so I'm guessing this would be "temporary" ... I'm not sure if the SRX will do it, but you could hack the setup by assigning 1.2.3.1 and 1.2.3.2 as secondary IPs on Host A...
View ArticleRe: Can SRX series work with Shrew Soft VPN client?
The issue has NOT been resolved. It's been with Juniper support for 2 weeks. We've been trying to pinpoint when the issue started, we think it was in the Summer, when Juniper advised a firmware upgrade...
View ArticleRe: Traffic hair-pinning with static NAT
Thanks, that hack won't work for us, hosts are actually empheral (one reason why split DNS implementation is not trivial), the NAT entries on SRX are configured programatically.
View ArticleRe: Traffic hair-pinning with static NAT
Well, in that case, why not D-NAT + S-NAT from the trusted zone to the trusted zone... Also, this:http://66.129.228.18/techpubs/en_US/junos15.1x49-d60/topics/concept/nat-hairpinning-overview.html
View ArticleClik here to view.
Using SNMP to monitor SPU; what are MIBS
Hello, I enabled SNMP on my SRX100H2. Using this I can monitor interface bandwidth. I would also like to monitor SPU, but that appears to not be available (per snmpwalk). Is it possible for SNMP to...
View ArticleRe: Traffic hair-pinning with static NAT
Take a look at these articles and see if anyone address your...
View ArticleRe: RT_ALT_WRN_CFG_NEED: MSRPC ALG detected packet; needs extra policy
Sounds good to me. So in your case you simply disable this ALG to prevent unintended behavior.
View ArticleRe: Upgrading from 12.1X44-D40 to 12.1X46-D60 fails
I had this idea too. I toke the snapshot from a SRX 240 (because snapshots from branch devices should be work with each other) While the install package is the same there are differences in the...
View ArticleRe: Using SNMP to monitor SPU; what are MIBS
to find the OID of particular parameters you want to monitor on the SPU you can search the Juniper MIB explorer for those you don't see in a walk. https://contentapps.juniper.net/mib-explorer/ You...
View ArticleRe: Traffic hair-pinning with static NAT
As I understand you scenario, you will need to convert off of static nat and start using the combination of destination and source nat in order to accomplish the hairpin. You should be able to do that...
View ArticleClik here to view.
Re: Lots of tunnels ok but ONE route-based VPN tunnel to Cisco ASA passes...
Below is a snip from the kmd debug log for the VPN in question. All the other IPsec VPNs are fine and work well. Dec 10 16:39:40 [198.XXX.XXX.XXX <-> 189.XXX.XXX.XXX]...
View ArticleRe: Traffic hair-pinning with static NAT
Hello, Can you give me relevant configuration of the existing NAT on the device for Host A & Host B? I think there is a way to achieve this. Regards, Rushi
View ArticleRe: Traffic hair-pinning with static NAT
Hello, Logically speaking, this should work with configuration below: Part 1) Add a context of zone trust (in addition to untrust) for the static NAT. root# show security nat static rule-set test {...
View Article