Destination NAT, SRX240 problems



  • Guys, how does this config look?  Basically wanting to nat anything coming from my untrusted zone on ports 443 and 25 to a specific server in the trusted zone.  Heres the config:

    destination {
        pool exchange-int {
            address 172.16.x.x/32 port 25;
        }
        pool Exchange-OWA {
            address 172.16.x.x/32 port 443;
        }
        rule-set exchange-rs {
            from interface reth1.0;
        }
        rule-set SMTP_TEST {
            from zone untrust;
            rule Exchange-SMTP {
                match {
                    destination-address 1.1.1.1/32;
                    destination-port 25;
                }
                then {
                    destination-nat pool exchange-int;
                }
            }
        }

    rule-set OWA_TEST {
            from zone untrust;
            rule XCHANGE-OWA {
                match {
                    destination-address 1.1.1.1/32;
                    destination-port 443;
                }
                then {
                    destination-nat pool Exchange-OWA;
                }
            }
        }
    }

    Heres my security policy from zone untrust to zone trust

    policy exchange-pol {
        match {
            source-address any;
            destination-address exchange-server;
            application junos-smtp;
        }
        then {
            permit;
            log {
                session-init;
            }
        }
    }

    policy exchange-owa {
        match {
            source-address any;
            destination-address exchange-server;
            application junos-https;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
            count;
        }
    }

    So I am getting NAT translation hits, but nothing happens.  Nothing is logged under my security policies…its almost as if its natting, and then never hitting my security policies at all!?!? Any help is appreciated fellas (and gals!)

    **So my reth1.0 inter is programmed as say 1.1.1.1/29

    When I try to configure proxy-arp I get this:**

    [edit security nat proxy-arp interface reth1.0]
      ‘address 1.1.1.1/32’
        Proxy ARP IP address range [1.1.1.1 1.1.1.1] overlaps with interface IP address range [1.1.1.1 1.1.1.1] defined on interface 'reth1.0’
    error: configuration check-out failed
    Whats up with that?    I thought I followed the config doc exactly??



  • Hi.

    I will try to move your:
    from interface reth1.0; (under “rule-set exchange-rs”)

    To;  rule-set SMTP_TEST
    and; rule-set OWA_TEST

    You can’t make an proxy arp on an IP you allready are using.

    Best regards
    Jonas Ø. Pedersen

    Juniper networks specialist
    (Juniper - Master of systems Engineering Award 2010)
    EX, SSG, SRX, UAC, and SA

    www.itplaneten.dk / www.jnpr.dk


 

26
Online

38.4k
Users

12.7k
Topics

44.5k
Posts