GNS3 Juniper SRX Lab And CLI Commands - Part 2
Part-1 is here.
We will continue with our network diagram, just putting it here for ref.
In part-1 we created policies to allow traffic from the trusted to the untrusted zone without NAT. Let's do NAT and confirm it on the destination test router Outside-R as well.
We will start with Source NAT using the egress interface, then do it using a pool of IP addresses and also see a weird situation I came across.
Just jump to the config mode and then go to the nat hierarchy:
Now instead of using the egress interface we will NAT the source IP address using a per-defined pool of addresses.
We just change the NAT rule on top for this, but first create the pool.
Doing the SSH test from Inside-R to the Outside-R again.
IT DOESN'T WORK!
Then I had to troubleshoot and found a post on Juniper forums. It said proxy-arp is not required if the IP pool range is the same as the range of the egress interface, but a different NAT troubleshooting guide yet recommends configuring proxy arp for the pool. In our case 192.168.2.50 to 192.168.2.100.
As below.
I will definitely get to this and update in the future. Do leave a comment if you have an answer.
This could very be a GNS3 issue because of the proxy-arp or something and have nothing to do with anything else but still SSH has worked, so it's worth figuring out.
This is too long now and we will do destination NAT in a new post.
We will continue with our network diagram, just putting it here for ref.
In part-1 we created policies to allow traffic from the trusted to the untrusted zone without NAT. Let's do NAT and confirm it on the destination test router Outside-R as well.
We will start with Source NAT using the egress interface, then do it using a pool of IP addresses and also see a weird situation I came across.
Just jump to the config mode and then go to the nat hierarchy:
[edit]The same can be as below, you can copy this by just pasting to notepad and making your changes and then paste to the CLI
admin@SRX1# edit security nat source rule-set IN-OUT
#"IN-OUT is the rule-set name
[edit security nat source rule-set IN-OUT]
admin@SRX1# set from zone trust
[edit security nat source rule-set IN-OUT]
admin@SRX1# set to zone untrust
[edit security nat source rule-set IN-OUT]
admin@SRX1# edit rule IN-OUT
#the rule name can be same or different, comes under the rule-set
[edit security nat source rule-set IN-OUT rule IN-OUT] #now under "rule" not "rule-set"
admin@SRX1# set match source-address 192.168.3.0/24
[edit security nat source rule-set IN-OUT rule IN-OUT]
admin@SRX1# set match destination-address all
[edit security nat source rule-set IN-OUT rule IN-OUT]
admin@SRX1# set then source-nat interface
#the interface is chosen based on the "to zone" - we're using "untrusted"
[edit security nat source rule-set IN-OUT rule IN-OUT]
admin@SRX1# commit check
configuration check succeeds
[edit]Now goto the Inside-R router to confirm this.
admin@SRX1# edit security nat source
[edit security nat source] #make sure you are here in the hierarchy
set rule-set IN-OUT from zone trust
set rule-set IN-OUT to zone untrust
set rule-set IN-OUT rule IN-OUT match source-address 192.168.3.0/24
set rule-set IN-OUT rule IN-OUT match destination-address 0.0.0.0/0
set rule-set IN-OUT rule IN-OUT then source-nat interface
Inside-R#ssh -l bob 192.168.2.2We see our incoming connection on the destination router. This is one reason why GNS3 is so much fun, allows you instant confirmation of your config.
Password:
Outside-R#who
Line User Host(s) Idle Location
* 99 vty 1 bob idle 00:00:00 192.168.2.1 #the egress interface IP
Interface User Mode Idle Peer Address
Source NAT Using A Pool
Now instead of using the egress interface we will NAT the source IP address using a per-defined pool of addresses.
We just change the NAT rule on top for this, but first create the pool.
[edit security nat] #in the security NAT hierarchyNow go to the above NAT rules and just add pool instead of the interface. It automatically replaces it in the config.
admin@SRX1# set source pool IN-OUT-POOL address 192.168.2.50 to 192.168.2.100
[edit security nat source]Always, always remember to commit!
admin@SRX1# edit rule-set IN-OUT
[edit security nat source rule-set IN-OUT]
admin@SRX1# edit rule IN-OUT
[edit security nat source rule-set IN-OUT rule IN-OUT]
admin@SRX1# set then source-nat pool IN-OUT-POOL
#using pool instead of the interface in the last line
[edit security nat source rule-set IN-OUT rule IN-OUT]
admin@SRX1# commit
commit complete
Doing the SSH test from Inside-R to the Outside-R again.
IT DOESN'T WORK!
Then I had to troubleshoot and found a post on Juniper forums. It said proxy-arp is not required if the IP pool range is the same as the range of the egress interface, but a different NAT troubleshooting guide yet recommends configuring proxy arp for the pool. In our case 192.168.2.50 to 192.168.2.100.
As below.
[edit]And then testing again from the Inside-R
admin@SRX1# edit security nat proxy-arp
[edit security nat proxy-arp]
admin@SRX1# set interface ge-0/0/0 address 192.168.2.50 to 192.168.2.100 #our egress
Inside-R#ssh -l bob 192.168.2.2And the weird situation I saw here, which I don't yet have a reason for is SSH worked but ping doesn't work!
Password:
Outside-R#who
Line User Host(s) Idle Location
* 99 vty 1 bob idle 00:00:00 192.168.2.62
Interface User Mode Idle Peer Address
Inside-R#ping 192.168.2.2This only happens with source NAT using a pool and not when using the egress interface.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
I will definitely get to this and update in the future. Do leave a comment if you have an answer.
This could very be a GNS3 issue because of the proxy-arp or something and have nothing to do with anything else but still SSH has worked, so it's worth figuring out.
This is too long now and we will do destination NAT in a new post.
Tags:
Juniper
0 comments