Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
New User
Posts: 1
Registered: ‎02-13-2017
0 Kudos

Source NAT in SRX

Hi, 

I have a SRX1500 with S/W version 15.x. Recently I got a new request which I am not sure whether I can do it in my SRX. So, I am sharing here, to see if any of you can give me any idea whether it is possible or not, and if possible, how to do it.

 

Here is the request. The Source will be source NATed to two different IP's. The Destination IP will be one but with two different service port. When the Source will try to access the 1st Destination port, it will use the 1st NAT (Source NAT) IP and when the Source will try to access the 2nd Destination port, it will use the 2nd NAT (Source NAT) IP.

 

Appreciate you help. 

 

Thanks,

Adnan

Recognized Expert
Posts: 160
Registered: ‎01-06-2016
0 Kudos

Re: Source NAT in SRX

Hi Shahid,

 

this is doable without any major issue. Example config and validation below. How this helps you accomplish your task.

 

Summary:

when accessing 10.10.10.10 from the trust zone it's destination nat'ed towards 1.2.3.4 and source nat'ed behind 11.11.11.11 if destination port is 1111 and source nat'ed behind 22.22.22.22 if destination port is 2222.

 

config:

jonasj@vsrx-outside# show security nat destination
pool dst-pool1 {
    address 1.2.3.4/32;
}
rule-set test {
    from zone trust;
    rule dst1 {
        match {
            destination-address 10.10.10.10/32;
        }
        then {
            destination-nat {
                pool {
                    dst-pool1;
                }
            }
        }
    }
}

jonasj@vsrx-outside# show security nat source
pool srcip1 {
    address {
        11.11.11.11/32;
    }
}
pool srcip2 {
    address {
        22.22.22.22/32;
    }
}
rule-set test {
    from zone trust;
    to zone untrust;
    rule src1 {
        match {
            destination-address 1.2.3.4/32;
            destination-port {
                1111;
            }
        }
        then {
            source-nat {
                pool {
                    srcip1;
                }
            }
        }
    }
    rule src2 {
        match {
            destination-address 1.2.3.4/32;
            destination-port {
                2222;
            }
        }
        then {
            source-nat {
                pool {
                    srcip2;
                }
            }
        }
    }
}

Validation when trying to telnet to 10.10.10.10:1111 or 10.10.10.10:2222 from the trust zone:

jonasj@vsrx-outside# ...show security flow session destination-port 1111
Session ID: 81159, Policy name: permitall/5, Timeout: 20, Valid
  In: 172.30.105.5/54062 --> 10.10.10.10/1111;tcp, Conn Tag: 0x0, If: ge-0/0/1.1                                        05, Pkts: 1, Bytes: 52,
  Out: 1.2.3.4/1111 --> 11.11.11.11/13551;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pk                                        ts: 0, Bytes: 0,
Total sessions: 1

[edit]
jonasj@vsrx-outside# run show security flow session destination-port 2222
Session ID: 81163, Policy name: permitall/5, Timeout: 16, Valid
  In: 172.30.105.5/54063 --> 10.10.10.10/2222;tcp, Conn Tag: 0x0, If: ge-0/0/1.105, Pkts: 2, Bytes: 104,
  Out: 1.2.3.4/2222 --> 22.22.22.22/27942;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
Total sessions: 1
--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)