Destination NAT, SRX240 problems

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[willroute4food]

Guys, how does this config look?  Basically wanting to nat anything coming from my untrusted zone on ports 443 and 25 to a specific server in the trusted zone.  Heres the config:

 


destination {
    pool exchange-int {
        address 172.16.x.x/32 port 25;
    }
    pool Exchange-OWA {
        address 172.16.x.x/32 port 443;
    }
    rule-set exchange-rs {
        from interface reth1.0;
    }
    rule-set SMTP_TEST {
        from zone untrust;
        rule Exchange-SMTP {
            match {
                destination-address 1.1.1.1/32;
                destination-port 25;
            }
            then {
                destination-nat pool exchange-int;
            }
        }
    }

     rule-set OWA_TEST {
        from zone untrust;
        rule XCHANGE-OWA {
            match {
                destination-address 1.1.1.1/32;
                destination-port 443;
            }
            then {
                destination-nat pool Exchange-OWA;
            }
        }
    }
}

 

 

Heres my security policy from zone untrust to zone trust

 

policy exchange-pol {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-smtp;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}

policy exchange-owa {
    match {
        source-address any;
        destination-address exchange-server;
        application junos-https;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
        count;
    }
}

 

So I am getting NAT translation hits, but nothing happens.  Nothing is logged under my security policies...its almost as if its natting, and then never hitting my security policies at all!?!? Any help is appreciated fellas (and gals!)

 

So my reth1.0 inter is programmed as say 1.1.1.1/29

When I try to configure proxy-arp I get this:

[edit security nat proxy-arp interface reth1.0]
  'address 1.1.1.1/32'
    Proxy ARP IP address range [1.1.1.1 1.1.1.1] overlaps with interface IP address range [1.1.1.1 1.1.1.1] defined on interface 'reth1.0'
error: configuration check-out failed

Whats up with that?    I thought I followed the config doc exactly??

[jonas-itp]

Hi.

I will try to move your:
from interface reth1.0; (under "rule-set exchange-rs")

To;  rule-set SMTP_TEST
and; rule-set OWA_TEST

You can't make an proxy arp on an IP you allready are using.

Best regards
Jonas Ø. Pedersen

Juniper networks specialist
(Juniper - Master of systems Engineering Award 2010)
EX, SSG, SRX, UAC, and SA

www.itplaneten.dk / www.jnpr.dk

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• SRX-210H port-mirroring s... by ociz [Today at 02:14:13 PM]
• configs out of sync by ciscler [Today at 01:11:30 PM]
• Monitoring user bandwidth... by x0rerror [Today at 12:30:20 PM]
• NSRP active/passive with ... by junreaper [Today at 08:41:52 AM]
• Ladies’ fashionable shoes... by fivefingers8 [Yesterday at 06:54:36 PM]
• Routing Traffic From Cust... by fivefingers8 [Yesterday at 06:52:49 PM]
• Load balancing on J-serie... by fivefingers8 [Yesterday at 06:49:46 PM]
• Juniper SSG or other bran... by whoppi [Yesterday at 11:23:49 AM]
• NS25 and NS Remote - Want... by mbrown [Yesterday at 10:38:14 AM]
• Netscreen SSG Policy base... by thisisnuts999 [Yesterday at 07:01:01 AM]

Members

• Total Members: 22068
• Latest: vu.luu@flysfo.com

Stats

• Total Posts: 39593
• Total Topics: 10459
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 33
Total: 34

eagq