Hello,
I have ipsec tunnel configured on Juniper SRX240 on interface st0.2 with static nat to internal server of same ip range. VPN is up and i could ping interface ip from remote however natted ip is not pingable. You help is highly appreciated.
St0.2 is on VPN zone with interface ip 10.232.146.17/29
internal server ip 10.10.0.103 natted to 10.232.146.18
Remote ip : 10.38.21.235
Below shows on security flow session
Session ID: 104580, Policy name: VPN_Server/16, Timeout: 52, Valid
In: 10.38.21.235/2245 --> 10.232.146.18/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.10.0.103/1 --> 10.38.21.235/2245;icmp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 104652, Policy name: VPN_Server/16, Timeout: 46, Valid
In: 10.38.21.235/2240 --> 10.232.146.18/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.10.0.103/1 --> 10.38.21.235/2240;icmp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 104692, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 10.38.21.235/2253 --> 10.232.146.17/1;icmp, If: st0.2, Pkts: 1, Bytes: 60
Out: 10.232.146.17/1 --> 10.38.21.235/2253;icmp, If: .local..0, Pkts: 1, Bytes: 60
Trace log shows below.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:<10.38.21.235/1866->10.232.146.18/1;1> matched filter f0:
192.168.56.50 ->172.20.123.2
Dec 24 11:02:55 11:02:55.847083:CID-0:RT
acket [60] ipid = 4790, @0x4368dac0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x4368d880, rtbl_idx = 0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: in_ifp <VPN:st0.2>
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6902ecc0
Dec 24 11:02:55 11:02:55.847083:CID-0:RTkt out of tunnel.Proceed normally
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: st0.2:10.38.21.235->10.232.146.18, icmp, (8/0)
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: find flow: table 0x59ab7460, hash 22810(0xffff), sa 10.38.21.235, da 10.232.146.18, sp 1866, dp 1, proto 1, tok 8
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: no session found, start first path. in_tunnel - 0x5d53fd20, from_cp_flag - 0
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: flow_first_create_session
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: flow_first_in_dst_nat: in <st0.2>, out <N/A> dst_adr 10.232.146.18, sp 1866, dp 1
Dec 24 11:02:55 11:02:55.847083:CID-0:RT: chose interface st0.2 as incoming nat if.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_first_rule_dst_xlate: packet 10.38.21.235->10.232.146.18 nsp2 0.0.0.0->10.10.0.103.
Dec 24 11:02:55 11:02:55.847083:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.38.21.235, x_dst_ip 10.10.0.103, in ifp st0.2, out ifp N/A sp 1866, dp 1, ip_proto 1, tos 0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT
oing DESTINATION addr route-lookup
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: routed (x_dst_ip 10.10.0.103) from VPN (st0.2 in 0) to ge-0/0/1.0, Next-hop: 10.10.0.103
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_policy_search: policy search from zone VPN-> zone Trust (0x114,0x74a0001,0x1)
Dec 24 11:02:55 11:02:55.847385:CID-0:RTolicy lkup: vsys 0 zone(8:VPN) -> zone(6:Trust) scope:0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: 10.38.21.235/2048 -> 10.10.0.103/17937 proto 1
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: permitted by policy VPN_Server(16)
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: packet passed, Permitted by policy.
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: dip id = 0/0, 10.38.21.235/1866->10.38.21.235/1866 protocol 0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT: choose interface ge-0/0/1.0 as outgoing phy if
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.10.0.103, rtt_idx:0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf : Alloc sess plugin info for session 34359960738
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 2, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 3, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 5, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 6, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 7, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 8, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847385:CID-0:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1, impli mask(0x8), post_nat cnt 222370 svc req(0x0)
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:-jsf : no plugin interested for session 34359960738, free sess plugin info
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_service_lookup(): natp(0x635f3448): app_id, 0(0).
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: service lookup identified service 0.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: flow_first_final_check: in <st0.2>, out <ge-0/0/1.0>
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:flow_first_complete_session, pak_ptr: 0x59404e38, nsp: 0x635f3448, in_tunnel: 0x5d53fd20
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:construct v4 vector for nsp2
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: existing vector list 0x1204-0x5264fd58.
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Session (id:222370) created for first pak 1204
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: flow_first_install_session======> 0x635f3448
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: nsp 0x635f3448, nsp2 0x635f34c8
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: make_nsp_ready_no_resolve()
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: route lookup: dest-ip 10.38.21.235 orig ifp st0.2 output_ifp st0.2 orig-zone 8 out-zone 8 vsd 0
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: route to 10.38.21.235
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:no need update ha
Dec 24 11:02:55 11:02:55.847886:CID-0:RT:Installing s2c NP session wing
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Error : get sess plugin info 0x635f3448
Dec 24 11:02:55 11:02:55.847886:CID-0:RT: Error : get sess plugin info 0x635f3448
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: flow got session.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: flow session id 222370
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: vector bits 0x1204 vector 0x5264fd58
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:flow_xlate_pak
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:flow_handle_icmp_xlate
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:xlate_icmp_pak
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: post addr xlation: 10.38.21.235->10.10.0.103.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: post addr xlation: 10.38.21.235->10.10.0.103.
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: encap vector
Dec 24 11:02:55 11:02:55.848390:CID-0:RT: no more encapping needed
Dec 24 11:02:55 11:02:55.848390:CID-0:RT:mbuf 0x4368d880, exit nh 0x210010