Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

SRX destination-nat & ping

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


routehero at gmail

May 11, 2011, 7:45 AM

Post #1 of 6 (1958 views)
Permalink
SRX destination-nat & ping

Hello,

Is there a way of forwarding pings destined for a destination-nat address to
loopback, or, otherwise respond to them?

Thanks,
Scott
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


routehero at gmail

Jul 11, 2011, 10:16 AM

Post #2 of 6 (1800 views)
Permalink
Re: SRX destination-nat & ping [In reply to]

Thought I would bump this back up.

Anyone have any success in getting a destination-nat on SRX respond to ICMP?
Any tricks to loopback to 127.0.0.1 or anything else? Don't really care
how, just would like it as an option.

Scott

On Wed, May 11, 2011 at 10:45 AM, Scott T. Cameron <routehero [at] gmail>wrote:

> Hello,
>
> Is there a way of forwarding pings destined for a destination-nat address
> to loopback, or, otherwise respond to them?
>
> Thanks,
> Scott
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sfouant at shortestpathfirst

Jul 11, 2011, 3:10 PM

Post #3 of 6 (1828 views)
Permalink
Re: SRX destination-nat & ping [In reply to]

On 7/11/2011 1:16 PM, Scott T. Cameron wrote:
> Thought I would bump this back up.
>
> Anyone have any success in getting a destination-nat on SRX respond to ICMP?
> Any tricks to loopback to 127.0.0.1 or anything else? Don't really care
> how, just would like it as an option.
>
> Scott

Hey Scott,

Can you describe the setup in more detail? Usually NAT is designed to
translate traffic for hosts that are behind the firewall, so the host
should usually be the one to respond to ICMP. Are you talking about
doing destination-NAT to an address located on the SRX itself?

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


routehero at gmail

Jul 11, 2011, 3:31 PM

Post #4 of 6 (1995 views)
Permalink
Re: SRX destination-nat & ping [In reply to]

>
> Anyone have any success in getting a destination-nat on SRX respond to
>> ICMP?
>> Any tricks to loopback to 127.0.0.1 or anything else? Don't really care
>> how, just would like it as an option.
>>
>> Scott
>>
>
> Hey Scott,
>
> Can you describe the setup in more detail? Usually NAT is designed to
> translate traffic for hosts that are behind the firewall, so the host should
> usually be the one to respond to ICMP. Are you talking about doing
> destination-NAT to an address located on the SRX itself?


With SRX static-nat, all traffic (all protocols) is forwarded to a specific
IP.

With SRX destination-nat, a specific protocol (tcp/udp, presumably) is
forwarded to a specific IP [and optionally port]

There does not appear to be an option in destination-nat to send ICMP to an
IP, so that it responds to, for example, ping.

Scott
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


sfouant at shortestpathfirst

Jul 11, 2011, 3:46 PM

Post #5 of 6 (1805 views)
Permalink
Re: SRX destination-nat & ping [In reply to]

On 7/11/2011 6:31 PM, Scott T. Cameron wrote:

> With SRX static-nat, all traffic (all protocols) is forwarded to a
> specific IP.
>
> With SRX destination-nat, a specific protocol (tcp/udp, presumably) is
> forwarded to a specific IP [and optionally port]
>
> There does not appear to be an option in destination-nat to send ICMP to
> an IP, so that it responds to, for example, ping.

Unless you are doing port translation, simply matching on
destination-address in your match statement and then specifying the
translated address in your then statement should do the trick. You may
need to enable proxy-arp in your environment if the ingress IP
(pre-translated) is a different address than the interface IP, but other
than that you shouldn't need to do anything fancy to enable ping traffic
to flow through...

Sorry I don't have access to a device at the moment to give you a
working config... can we see your configs in the meantime?

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


routehero at gmail

Jul 11, 2011, 5:03 PM

Post #6 of 6 (1818 views)
Permalink
Re: SRX destination-nat & ping [In reply to]

On Mon, Jul 11, 2011 at 6:46 PM, Stefan Fouant <
sfouant [at] shortestpathfirst> wrote:

> On 7/11/2011 6:31 PM, Scott T. Cameron wrote:
> Unless you are doing port translation, simply matching on
> destination-address in your match statement and then specifying the
> translated address in your then statement should do the trick. You may need
> to enable proxy-arp in your environment if the ingress IP (pre-translated)
> is a different address than the interface IP, but other than that you
> shouldn't need to do anything fancy to enable ping traffic to flow
> through...
>
> Sorry I don't have access to a device at the moment to give you a working
> config... can we see your configs in the meantime?


Thanks, this actually does work, and I am a bit surprised. It's very
counter-intuitive, but thank you nonetheless!

Scott
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.