[KB17448] Show KB Properties
Summary:
When accessing a static IP from inside your network, it does not work without configuring settings to do so.
Problem or Goal:
The goal is to be able to access the Static NAT from inside your trusted network. By default you can access it inbound but not from inside.
Solution:
Topology:
Egress interface is on fe-2/0/0 which is in the untrust zone and the external address is 10.8.24.195.
Ingress is on ge-0/0/0 which is in the trust zone and the internal address is 10.3.1.135 which is the exchange server for ex.
10.8.24.195
|
\|/
fe-2/0/0
|
|NAT through the SRX or J-Series device
ge-0/0/0 is 10.3.1.1
|
inside the trust zone is the exchange server at 10.3.1.135
//即在內網輸入自己外網的地址,自動轉到自己內網的服務器上.在該案例上面,fe-2/0/0與ge-0/0/0可以理解爲都是trust,或者就爲案例中那樣
A node inside the network pointing at 10.8.24.195 has to go through the SRX or J-Series device to access the NAT pointing to 10.3.1.135. If the settings are not set on the SRX or J-Series device, the NAT will not work for internal users.
You must do the following:
1) edit security nat static
(create your source nat for interzone)
nat {
source {
rule-set out {
from zone trust;
to zone untrust;
rule-set trust_to_trust { <------create a source rule from zone to zone
from zone trust;
to zone trust;
rule exchange {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
(Create a static NAT under security NAT)
static { <---------create a static nat
rule-set inboundmail {
from interface [ ge-0/0/0.0 fe-0/0/2.0 ]; <-------add the external as well as the internal interface
rule exchange {
match {
destination-address 10.8.24.195/32;
}
then {
static-nat prefix 10.3.1.135/32;
}
}
}
}
(Remember to set your proxy arp)
proxy-arp {
interface fe-0/0/2.0 { <------add the proxy arp for the static nat that you created
address {
10.8.24.195/32;
}
}
}
}
(Create your policy for inbound NAT under security policy)
from-zone untrust to-zone trust { <-------here is your inbound policy
policy inbound {
match {
source-address any;
destination-address exchange;
application any;
}
then {
permit;
}
}
}
}
(Create a policy from trust to trust for internal zone) <--------create a intra zone policy
from-zone trust to-zone trust
policy inbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
---------------------------------------------------------------------------------------------------------------------------------------
eg.
admin# show | no-more
## Last changed: 2013-12-31 05:09:07 UTC
version 11.4R9.4;
system {
root-authentication {
encrypted-password "$1$kUz827d7$vI9W0bihpVzVvnNSaAN/80"; ## SECRET-DATA
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$5DzKGy3I$diogTOfyufxR5/9o37u8f."; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ vlan.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/4.0 ];
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/4.0 ];
}
}
inactive: dhcp {
name-server {
61.128.128.68;
}
pool 10.10.2.0/24 {
address-range low 10.10.2.101 high 10.10.2.200;
router {
10.10.2.1;
}
}
pool 10.10.3.0/24 {
address-range low 10.10.3.101 high 10.10.3.200;
router {
10.10.3.1;
}
}
pool 10.10.5.0/24 {
address-range low 10.10.5.2 high 10.10.5.250;
router {
10.10.5.1;
}
}
pool 10.10.6.0/24 {
address-range low 10.10.6.101 high 10.10.6.200;
router {
10.10.6.1;
}
}
pool 10.10.7.0/24 {
address-range low 10.10.7.101 high 10.10.7.200;
router {
10.10.7.1;
}
}
pool 10.10.8.0/24 {
address-range low 10.10.8.101 high 10.10.8.200;
router {
10.10.8.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
alarm {
##
## Warning: configuration block ignored: unsupported platform (srx240b)
##
management-ethernet {
link-down ignore;
}
integrated-services {
failure ignore;
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/5;
member ge-0/0/6;
member ge-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
interface-range YiDong-Switch {
member ge-0/0/8;
member ge-0/0/9;
member ge-0/0/10;
member ge-0/0/11;
unit 0 {
family ethernet-switching {
vlan {
members vlan-YiDong;
}
}
}
}
ge-0/0/1 {
description DianXin;
unit 0 {
family inet {
address 10.200.0.254/24;
}
}
}
ge-0/0/2 {
description YiDong-XiXiaoQu;
unit 0 {
family inet {
address 192.168.15.254/24;
}
}
}
ge-0/0/4 {
description To-Neiwang;
unit 0 {
family inet {
filter {
output police10M;
}
address 10.10.0.254/24;
}
}
}
vlan {
unit 0 {
family inet;
}
unit 100 {
family inet {
address 172.16.1.1/24;
}
}
}
}
routing-options {
static {
route 192.168.0.0/16 next-hop 192.168.15.1;
route 0.0.0.0/0 {
next-hop 10.200.0.1;
preference 5;
}
route 10.10.0.0/16 next-hop 10.10.0.1;
route 10.10.10.0/24 next-hop 10.200.0.1;
}
}
policy-options {
prefix-list JX-SY {
10.10.2.0/25;
10.10.2.128/26;
10.10.2.192/27;
10.10.2.224/28;
}
prefix-list WaiWei {
10.10.4.0/25;
10.10.4.128/26;
10.10.4.192/27;
10.10.4.224/28;
}
prefix-list WuXian {
10.10.5.0/25;
10.10.5.128/26;
10.10.5.192/27;
10.10.5.224/28;
}
prefix-list 601 {
10.10.6.0/25;
10.10.6.128/26;
10.10.6.192/27;
10.10.6.224/28;
}
prefix-list 501 {
10.10.7.0/25;
10.10.7.128/26;
10.10.7.192/27;
10.10.7.224/28;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set trust_to_trust {
from zone trust;
to zone trust;
rule lubo-server {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set NAT-Static {
from zone [ trust untrust ];
rule LuBoZhuJi {
match {
destination-address 10.200.0.2/32;
}
then {
static-nat {
prefix {
10.10.2.252/32;
}
}
}
}
rule LUBoPingCe {
match {
destination-address 10.200.0.3/32;
}
then {
static-nat {
prefix {
10.10.1.5/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
10.200.0.2/32;
10.200.0.3/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy untrust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/4.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
firewall {
family inet {
filter police10M {
term 1 {
from {
prefix-list {
501;
}
}
then policer 10M;
}
term 4 {
from {
prefix-list {
601;
}
}
then policer 10M;
}
term 20 {
then accept;
}
}
}
policer 10M {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 2m;
}
then discard;
}
}
vlans {
vlan-YiDong {
vlan-id 100;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}