Hi Correa, You stated your issue was that you have traffic arriving at the ge-0/0/0 interface (Untrust) but you do not see it being forwarded towards the ge-0/0/3 interface (Trust). Everything is perfect with your configuration, except that you dont have a NAT policy to translate traffic originating from the Untrust side destined for the Trust side. You have two options to fix this: You can replace your source-nat configuration with a static-nat configuration which essentially creates bidirectional NAT, or youll need to configure a destination-nat stanza in addition to your source-nat configuration.
Please note, you can choose to use either Static NAT or Destination NAT in this simple test, but which one you choose for production depends on a lot of variables and the control you want over your NAT operations. I advise you take a look at Junipers documentation set to get a better understanding of the differences between the two in order to choose the one which is most appropriate for your situation. You have the appropriate policies in place and your setup is very simple from a routing perspective, so you shouldnt have any problems there. Simply configure the appropriate NAT policy to allow for inbound NAT translation and you should be good to go. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB4C956EC > -----Original Message----- > From: Correa Adolfo [mailto:[email protected]] > Sent: Monday, May 02, 2011 11:42 AM > To: Stefan Fouant; [email protected] > Subject: RE: [j-nsp] SRX240 junos 10.3 nat missbehavior? - [SPAM > Header] - Character set not allowed > > interfaces { > > ge-0/0/0 { > > unit 0 { > > family inet { > > address x.x.93.227/27; > > } > > } > > } > > ge-0/0/2 { > > unit 0 { > > family ethernet-switching { > > port-mode access; > > vlan { > > members vlan-trust; > > } > > } > > } > > } > > ge-0/0/3 { > > unit 0 { > > family ethernet-switching { > > port-mode access; > > vlan { > > members vlan-trust; > > } > > } > > } > > } > > vlan { > > unit 0 { > > family inet { > > address 20.0.0.1/24; > > } > > } > > } > > } > > routing-options { > > static { > > route 0.0.0.0/0 next-hop x.x.93.225; > > } > > } > > security { > > nat { > > source { > > address-persistent; > > rule-set trust-to-untrust { > > from zone trust; > > to zone untrust; > > rule source-nat-rule { > > match { > > source-address 0.0.0.0/0; > > } > > then { > > source-nat { > > interface; > > } > > } > > } > > } > > } > > } > > screen { > > ids-option untrust-screen { > > icmp { > > ping-death; > > } > > ip { > > source-route-option; > > tear-drop; > > } > > tcp { > > syn-flood { > > alarm-threshold 1024; > > attack-threshold 200; > > source-threshold 1024; > > destination-threshold 2048; > > timeout 20; > > } > > land; > > } > > } > > } > > zones { > > security-zone trust { > > host-inbound-traffic { > > system-services { > > all; > > } > > protocols { > > all; > > } > > } > > interfaces { > > vlan.0 { > > host-inbound-traffic { > > system-services { > > all; > > } > > } > > } > > vlan.9 { > > host-inbound-traffic { > > system-services { > > all; > > } > > } > > } > > } > > } > > security-zone untrust { > > screen untrust-screen; > > interfaces { > > ge-0/0/0.0 { > > host-inbound-traffic { > > system-services { > > dhcp; > > tftp; > > all; > > } > > protocols { > > all; > > } > > } > > } > > } > > } > > } > > policies { > > from-zone trust to-zone untrust { > > policy trust-to-untrust { > > match { > > source-address any; > > destination-address any; > > application any; > > } > > then { > > permit; > > count; > > } > > } > > } > > from-zone untrust to-zone trust { > > policy untrust1 { > > match { > > source-address any; > > destination-address any; > > application any; > > } > > then { > > permit; > > count; > > } > > } > > } > > } > > } > > vlans { > > vlan-trust { > > vlan-id 3; > > l3-interface vlan.0; > > } > > voz { > > vlan-id 9; > > l3-interface vlan.9; > > } > > } > > > > > > acorrea# run show route > > > > inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) > > + = Active Route, - = Last Active, * = Both > > > > 0.0.0.0/0 *[Static/5] 00:08:42 > > > to 200.52.93.225 via ge-0/0/0.0 > > 20.0.0.0/24 *[Direct/0] 00:01:28 > > > via vlan.0 > > 20.0.0.1/32 *[Local/0] 00:09:00 > > Local via vlan.0 > > 192.168.9.1/32 *[Local/0] 00:09:00 > > Reject > > x.x.93.224/27 *[Direct/0] 00:08:42 > > > via ge-0/0/0.0 > > x.x.93.227/32 *[Local/0] 00:08:51 > > Local via ge-0/0/0.0 > > > > acorrea# run show arp > > MAC Address Address Name Interface > Flags > > 00:d0:dd:0e:30:0c 20.0.0.2 20.0.0.2 vlan.0 > none > > 00:04:96:15:8f:30 200.52.93.225 225.93.x.x.in-addr.arp ge-0/0/0.0 > none > > 00:d0:dd:0f:80:00 200.52.93.229 229.93.x.x.in-addr.arp ge-0/0/0.0 > none > > Total entries: 3 > > > > [edit] > > acorrea# > > > > Interface: ge-0/0/3, Enabled, Link is Up > > Encapsulation: Ethernet, Speed: 1000mbps > > Traffic statistics: Current > delta > > Input bytes: 1364672 (1016000 bps) > [1327608] //traffic is received from the source > > Output bytes: 41216 (0 bps) > [4608 // no traffic forwarded to the vlan source > > Input packets: 1967 (127 pps) > [1395] > > Output packets: 644 (0 pps) > [72] > > > > Interface: ge-0/0/0, Enabled, Link is Up > > Encapsulation: Ethernet, Speed: 1000mbps > > Traffic statistics: Current > delta > > Input bytes: 4809044 (965480 bps) > [247116 //traffic received from the loopback] > > Output bytes: 3452570 (977024 bps) > [246056] //traffic sent to loopback > > Input packets: 8312 (126 pps) > [262] > > Output packets: 5720 (124 pps) > [253] > > > > > > > > > > > > > > -----Original Message----- > From: Stefan Fouant [mailto:[email protected]] > Sent: viernes, 29 de abril de 2011 06:29 p.m. > To: Correa Adolfo; [email protected] > Subject: Re: [j-nsp] SRX240 junos 10.3 nat missbehavior? - [SPAM > Header] - Character set not allowed > > > > Show us the configs... > > Stefan Fouant > GPG Key ID: 0xB4C956EC > > Sent from my HTC EVO. > > ----- Reply message ----- > From: "Correa Adolfo" <[email protected]> > Date: Fri, Apr 29, 2011 6:55 pm > Subject: [j-nsp] SRX240 junos 10.3 nat missbehavior? > To: "[email protected]" <[email protected]> > > ge-0/0/0 is untrust, access to the internet > > > > ge-0/0/3 and ge-0/0/2 trust, port mode access, vlan "x" id 3, l3 vlan.0 > > > > Source nat configured "source-nat interface" > > > > Policies "Trust to untrust" and "untrust to trust" any any any permit > > > > Device on ge-0/0/3 can ping device at ge-0/0/0 > > Laptop at ge-0/0/2 can surf the internet and shows correct ge-0/0/0 ip > when consulted at whatsmyip > > > > However a l3 throughput test cannot be done neither a rfc2544 between > device at ge-0/0/3 (loop) and device ge-0/0/0 (source). > > > > Monitoring interfaces I can see the traffic arriving at ge-0/0/0 but > not being forwarded to ge-0/0/3, routes are correctly installed as the > ping and internet surfig shows. > > > > Any idea? > > > > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > MCM Telecom <http://www.mcmtelecom.com.mx> > Encuéntanos en Facebook <http://www.facebook.com/pages/MCM- > Telecom/268611905815?ref=ts> SÃguenos en Twitter > <http://twitter.com/mcmtelecom> _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
