Juniper SRX NATting for Windows NLB IP

Hi.. I have setup a pair of Windows 2012 R2 NLB server for Exchange CAH/HUB Servers.
the NLB IP was tested working in the LAN segment. I configure static ARP MAC onto my Juniper SRZ X firewall and from firewall console, i'm able reach the NLB IP via PING test.

I have configured static NAT to the NLB IP, and when i'm try to access the NATed NLB IP from internet, it just failed. at first, i suspect if my NAT rules configured wrongly, and i configure another NAT rule pointed the NLB server real IP, and it just works when i browse the public IP from internet.

My SRX is running in 12.1X46-D35.1, bios is 2.6. is there any other thing that i should look into it?
hell_angelEngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Because "static NLB IP is private IP address and cannot be reached from the internet.
0
hell_angelEngineerAuthor Commented:
I have configure STATIC NAT with public IP. so I should able reach the NLB IP with Public IP  from Internet..
0
gheistCommented:
You need to complement static nat with port list that you let pass between zones.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

dpk_walCommented:
You can configure static NAT or can configure destination NAT.

Assumption:
1. Public IP on interface of SRX is used to hit the NLB from the internet [if you have different public IP then we can use static NAT or destination NAT], IP is 1.1.1.200
2. NLB internal IP: 192.168.1.200; port 80
3. ### comments are added for clarity; you can ignore and not include as part of config
4. SRX security zone facing towards internet is named: untrust
5. SRX security zone facing towards internal network is named: trust
6. This example uses destination NAT


###configure NAT pool
set security nat destination pool dst-nat-pool-1 address 192.168.1.200/32
set security nat destination pool dst-nat-pool-1 address port 80
### if you want different internal machines to receive traffic on different ports from internet
### then configure port command above with relevant port number

set security nat destination rule-set rs1 from zone untrust
set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.200/32
set security nat destination rule-set rs1 rule r1 match destination-port 80
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

#set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32
### remove # if you are using different IP than SRX interface IP; but the different IP is in same
### subnet as the interface IP

### you can configure address book as global or under security-zone trust
set security address-book global address NLB-srv-1 192.168.1.200/32

### finally the security policy to permit the traffic
set security policies from-zone untrust to-zone trust policy NLB-in match source-address any
### set to specific source address if applicable, also create address-book before using

set security policies from-zone untrust to-zone trust policy NLB-in match destination-address NLB-srv-1
set security policies from-zone untrust to-zone trust policy NLB-in match application any
### set specific application to make the policy more secure or leave at ANY
set security policies from-zone untrust to-zone trust policy NLB-in then permit

Please implement and update.

Thank you!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hell_angelEngineerAuthor Commented:
n/a
0
Deepak MuralidharanCommented:
Is this issue resolved ?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.