Nat U-Turn - Netscreen N50

Hey Everyone,

I was wondering if anyone knows how to enable Nat U-turn on a Juniper Netscreen Firewall.

Pretty much I have a web server that is behind the firewall and accessible via Port Forwarding. It works from  outside http://www.abcxyz.com and it works internally via the private address, but it does not work internally if you try to access the outside interface of the firewall (Via Public IP) and try to U-Turn back in.

I know the solution to this can also be achieved via internal DNS hacking (Host File or internal DNS Server), but I believe there is also a way to do this via Dynamic Nat and specific firewall policies.

Thanks in advance.
LVL 3
AlspaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The--CaptainCommented:
Here's an article I recently wrote on this very subject:

http://www.experts-exchange.com/articles/Networking/Misc/Perhaps-the-most-common-NAT-problem-AKA-why-can%27t-I-reach-my-server-on-its-external-IP-from-an-internal-IP.html

(Cool - I knew I didn't write that article for nothing)

You are looking to implement the SNAT solution, from what I'm hearing.  Do the references to SNAT in this document help: http://www.juniper.net/techpubs/hardware/dx/52_CLI_Reference_Guide.pdf ?

Cheers,
-Jon

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The--CaptainCommented:
BTW, is U-Turn a common name for this kind of problem?  

You're the first person I've heard use that nomenclature, but if it's a common term I will certainly add it to the article tags so that it can be found more easily in future searches.

Cheers,
-Jon
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I have exactly that configuration:

VIP for port forwarding, using HTTPS on  public and VIP side
Trust -> Untrust policy allowing for any to any address, HTTPS
Untrust -> Trust policy allowing for any to VIP, HTTPS

and it is no issue at all! But I have redefined the HTTPS management port of my NetScreen. I assume this is no DNS/NAT issue, instead it is a port collision with the management interface of NetScreen. Though I get a error message if I try to define a VIP on port 80 on my Untrust interface ... ("... is for the management of the box").

You can try that (just for testing) to create a new VIP service, let's say virtual port 8080, mapping to the web server and HTTP. Then define a policy Trust to Untrust, any-any, service 8080, and a Untrust -> Trust, any to VIP, service 8080. (The latter one is needed even for trying that from your LAN, as soon as you use the public IP.)
If I'm right that should work immediately (of course you need to change your URL to  http://www.abcxyz.com:8080). To have that working from outside, you would need to define a corresponding policy Untrust to Trust.

I have tested to create a HTTP web service just the moment, as shown above with HTTPS, and that works, too. However, I had to define a VIP on another public IP different from my Untrust interface's own public IP, since that one reserves port 80 for management.


0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

The--CaptainCommented:
Qlemo - I would think if that were the case then the author would be pulling up the management interface for the Netscreen rather than getting an error when attempting to access the website via its external IP.  That being said, I can by no means rule out a strange condition caused by a port collision as you suggest ;-)

Cheers,
-Jon
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
No, the management interface is NOT coming up, the port is nevertheless reserved. You have to do more, like allowing WebUI on Untrust, but that is not all, and I don't know. When I tried, I just got nothing. It is not that simple hence to disprove my assumption.
0
The--CaptainCommented:
"It is not that simple hence to disprove my assumption."  

I agree completely, hence my comment "I can by no means rule out a strange condition caused by a port collision as you suggest"

Cheers,
-Jon
0
AlspaAuthor Commented:
Thanks guys.

The--Captain: Very nice article. Very informative.

Qlemo: Thanks for rule info for the Netscreen.

The--Captain: The 2 terms i have heard that describe this is NAT U-Turn and Pinturning, but I think Pinturning refers more to VPNs configs and VOIP, when you have multiple IP phones behind a firewall that talks to a VOIP switch outside the network and are behind a NAT device.

Thanks again guys.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.