Nat U-Turn - Netscreen N50

Hey Everyone,

I was wondering if anyone knows how to enable Nat U-turn on a Juniper Netscreen Firewall.

Pretty much I have a web server that is behind the firewall and accessible via Port Forwarding. It works from  outside http://www.abcxyz.com and it works internally via the private address, but it does not work internally if you try to access the outside interface of the firewall (Via Public IP) and try to U-Turn back in.

I know the solution to this can also be achieved via internal DNS hacking (Host File or internal DNS Server), but I believe there is also a way to do this via Dynamic Nat and specific firewall policies.

Thanks in advance.
LVL 3
AlspaAsked:
Who is Participating?
 
The--CaptainConnect With a Mentor Commented:
Here's an article I recently wrote on this very subject:

http://www.experts-exchange.com/articles/Networking/Misc/Perhaps-the-most-common-NAT-problem-AKA-why-can%27t-I-reach-my-server-on-its-external-IP-from-an-internal-IP.html

(Cool - I knew I didn't write that article for nothing)

You are looking to implement the SNAT solution, from what I'm hearing.  Do the references to SNAT in this document help: http://www.juniper.net/techpubs/hardware/dx/52_CLI_Reference_Guide.pdf ?

Cheers,
-Jon

0
 
The--CaptainCommented:
BTW, is U-Turn a common name for this kind of problem?  

You're the first person I've heard use that nomenclature, but if it's a common term I will certainly add it to the article tags so that it can be found more easily in future searches.

Cheers,
-Jon
0
 
QlemoConnect With a Mentor DeveloperCommented:
I have exactly that configuration:

VIP for port forwarding, using HTTPS on  public and VIP side
Trust -> Untrust policy allowing for any to any address, HTTPS
Untrust -> Trust policy allowing for any to VIP, HTTPS

and it is no issue at all! But I have redefined the HTTPS management port of my NetScreen. I assume this is no DNS/NAT issue, instead it is a port collision with the management interface of NetScreen. Though I get a error message if I try to define a VIP on port 80 on my Untrust interface ... ("... is for the management of the box").

You can try that (just for testing) to create a new VIP service, let's say virtual port 8080, mapping to the web server and HTTP. Then define a policy Trust to Untrust, any-any, service 8080, and a Untrust -> Trust, any to VIP, service 8080. (The latter one is needed even for trying that from your LAN, as soon as you use the public IP.)
If I'm right that should work immediately (of course you need to change your URL to  http://www.abcxyz.com:8080). To have that working from outside, you would need to define a corresponding policy Untrust to Trust.

I have tested to create a HTTP web service just the moment, as shown above with HTTPS, and that works, too. However, I had to define a VIP on another public IP different from my Untrust interface's own public IP, since that one reserves port 80 for management.


0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
The--CaptainCommented:
Qlemo - I would think if that were the case then the author would be pulling up the management interface for the Netscreen rather than getting an error when attempting to access the website via its external IP.  That being said, I can by no means rule out a strange condition caused by a port collision as you suggest ;-)

Cheers,
-Jon
0
 
QlemoDeveloperCommented:
No, the management interface is NOT coming up, the port is nevertheless reserved. You have to do more, like allowing WebUI on Untrust, but that is not all, and I don't know. When I tried, I just got nothing. It is not that simple hence to disprove my assumption.
0
 
The--CaptainCommented:
"It is not that simple hence to disprove my assumption."  

I agree completely, hence my comment "I can by no means rule out a strange condition caused by a port collision as you suggest"

Cheers,
-Jon
0
 
AlspaAuthor Commented:
Thanks guys.

The--Captain: Very nice article. Very informative.

Qlemo: Thanks for rule info for the Netscreen.

The--Captain: The 2 terms i have heard that describe this is NAT U-Turn and Pinturning, but I think Pinturning refers more to VPNs configs and VOIP, when you have multiple IP phones behind a firewall that talks to a VOIP switch outside the network and are behind a NAT device.

Thanks again guys.

0
All Courses

From novice to tech pro — start learning today.