Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] SSH/Telnet is not working on external interface when Source NAT is enabled

0

0

Article ID: KB28124 KB Last Updated: 31 Jan 2014Version: 1.0
Summary:

This article describes how to resolve the SSH/telnet access issue on external interfaces, which occurs due to source NAT configuration on device.

Symptoms:

User is not able to do SSH/Telnet from its internal LAN network to SRX's ISP side's public interface.

Scenario:
                       ------------
LAN-1---------SRX-100-------ISP
                        ------------


IP schema:
LAN-1 :172.27.199.0/24

SRX-100 LAN interface: 172.27.199.1/24
SRX 100 ISP side interface:100.1.1.1/24

Note: Customer is using Source NAT- interface type on SRX for internet traffic.

Configuration:

---- <output omitted> ----
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.1/24;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 172.27.199.1/24;
            }
        }
    }
}

---- <output omitted> ----
security {
    nat {
        source {
            rule-set R1 {
                from zone trust;
                to zone untrust;
             rule r2 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
---- <output omitted> ----

Cause:

When LAN users try to do SSH/Telnet on external interface of SRX, SRX is doing source NAT for that traffic  and creates a  TCP session,  as seen below:

root>show security flow session                              
Session ID: 611, Policy name: default-policy-00/2, Timeout: 18, Valid
  In: 172.27.199.2/59612 --> 100.1.1.1/22;tcp, If: fe-0/0/2.0, Pkts: 1, Bytes: 48
  Out: 100.1.1.1/22 --> 100.1.1.1/14552;tcp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 1

root>show log jtac_trace

--------output omitted for brevity------

Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  permitted by policy p1(4)
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/2, pst_nat: False.
                                      

Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  dip id = 2/0, 172.27.199.2/60908->100.1.1.1/32599 protocol 6
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_get_out_ifp: IN!
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  choose interface fe-0/0/0.0 as outgoing phy if
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:is_loop_pak: Found loop on ifp fe-0/0/0.0, addr: 100.1.1.1, rtt_idx: 0 addr_type:0x3.
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_loopback_check: Setting interface: fe-0/0/0.0 as loop ifp.

--------output omitted for brevity------
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  flow_first_install_session======> 0x4fcb8bd8
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT: nsp 0x4fcb8bd8, nsp2 0x4fcb8c58
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_xlate_pak
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:Inner tcp hdr, TCP chksum is not needed
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  post addr xlation: 100.1.1.1->100.1.1.1.
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:check self-traffic on fe-0/0/0.0, in_tunnel 0x0
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:retcode: 0x1204
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:pak_for_self : proto 6, dst port 22, action 0x4
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  flow_first_create_session
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  flow_first_in_dst_nat: in <fe-0/0/0.0>, out <N/A> dst_adr 100.1.1.1, sp 32599, dp 22
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  chose interface fe-0/0/0.0 as incoming nat if.
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 100.1.1.1(22)
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 100.1.1.1, x_dst_ip 100.1.1.1, in ifp fe-0/0/0.0, out ifp N/A sp 32599, dp 22, ip_proto 6, tos 0                                       
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:Doing DESTINATION addr route-lookup
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  routed (x_dst_ip 100.1.1.1) from untrust (fe-0/0/0.0 in 0) to .local..0, Next-hop: 100.1.1.1
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x7f570016,0x16)
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  app 22, timeout 1800s, curr ageout 20s
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  permitted by policy self-traffic-policy(1)
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  dip id = 0/0, 100.1.1.1/32599->100.1.1.1/32599 protocol 0
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:flow_first_get_out_ifp: IN!
 
Oct 14 11:39:22 11:39:22.763548:CID-0:RT:  choose interface .local..0 as outgoing phy if

--------output omitted for brevity------
 
Oct 14 11:39:56 11:39:56.952895:CID-0:RT:  Got syn, 172.27.199.2(60908)->100.1.1.1(22), nspflag 0x1021, 0x30
 
Oct 14 11:39:56 11:39:56.952895:CID-0:RT:flow_xlate_pak
 
Oct 14 11:39:56 11:39:56.952895:CID-0:RT:  post addr xlation: 100.1.1.1->100.1.1.1.

Oct 14 11:39:56 11:39:56.952895:CID-0:RT: post addr xlation: 100.1.1.1->100.1.1.1.
Oct 14 11:39:56 11:39:56.952895:CID-0:RT: packet is for self, skip the frag vector Oct 14 11:39:56 11:39:56.952895:CID-0:RT:mbuf 0x423cec00, exit nh 0xfffb0006 Oct 14 11:39:56 11:39:56.952895:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

Due to source NAT,in reverse session destination address changes to 100.1.1.1/14552, so TCP packet will never reach original source and will drop at that point.

Solution:

One can use source NAT-off to solve the issue.

---- <output omitted> ----
security {
    nat {
        source {
            rule-set R1 {
                from zone trust;
                to zone untrust;
               rule r1 {
                    match {
                        destination-address 100.1.1.1/32;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule r2 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
}

}

---- <output omitted> ----

As shown above, when user tries to do Telnet or SSH for SRX's external interface IP, SRX will not do source Nat for that LAN user/client; SSH/Telnet session will be created successfully as shown in the following output.

root> show security flow session 
Session ID: 630, Policy name: default-policy-00/2, Timeout: 1794, Valid
  In: 172.27.199.2/56988 --> 100.1.1.1/22;tcp, If: fe-0/0/2.0, Pkts: 76, Bytes: 5944
  Out: 100.1.1.1/22 --> 172.27.199.2/56988;tcp, If: .local..0, Pkts: 124, Bytes: 13929
Total sessions: 1

root>show log jtac_trace

--------output omitted for brevity------

ct 14 14:10:36 14:10:36.735499:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 2/0, pst_nat: False.
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:  dip id = 0/0, 172.27.199.2/53944->172.27.199.2/53944 protocol 0
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:flow_first_get_out_ifp: IN!
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:  choose interface fe-0/0/0.0 as outgoing phy if

--------output omitted for brevity------

ct 14 14:10:36 14:10:36.735499:CID-0:RT:  flow_first_install_session======> 0x4fce7b88
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT: nsp 0x4fce7b88, nsp2 0x4fce7c08
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:flow_xlate_pak
 
Oct 14 14:10:36 14:10:36.735499:CID-0:RT:  post addr xlation: 172.27.199.2->100.1.1.1.

--------output omitted for brevity------
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:  .local..0:100.1.1.1/22->172.27.199.2/53944, tcp, flag 12 syn ack
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT: find flow: table 0x4cbec8f0, hash 6001(0xffff), sa 100.1.1.1, da 172.27.199.2, sp 22, dp 53944, proto 6, tok 2
                                        
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:  flow got session.
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:  flow session id 507
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT: vector bits 0x2 vector 0x4a5137a0
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:  tcp flags 0x12, flag 0x12
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:  Got syn_ack, 100.1.1.1(22)->172.27.199.2(53944), nspflag 0x1030, 0x1021
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:mbuf 0x437d3980, exit nh 0xf0010
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fded8a0 associated with mbuf 0x437d3980
 
Oct 14 14:10:37 14:10:36.739503:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search