SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Allow all host hiding NAT and inbount Static / Destination NAT?

    Posted 08-05-2016 12:34

    Hi, firstly, very sorry, but I'm new to SRX and will probably use non-Juniper terminology. I have a pair of SRH 100H working fine.

    Two zones: trust and untrust.

    A simple two-legged SRX with a leg in trust and a leg in untrust.

    There is one public IP on the external interface.

    I have a policy that allows all outbound traffic from a host in trust to untrust.

     

     In terms of NAT, what is the very simplest way of achieving the following two objectives:

    1. Allow the host to have it's IP "hidden" behind the public IP of the SRX (like other firewalls do their host hiding). AND

    2. Allow a simple destination NAt from the untrust to the host in trust, let's say in TCP 51234.

     

    I've read so many documents, my head is spinning, but all I seem to achieve is one or the other (so the host can either browse, OR it can be reached from the Internet). All the examples only seem to ever show one or the other but never both.

     

    TIA

    m

     

     

     



  • 2.  RE: Allow all host hiding NAT and inbount Static / Destination NAT?
    Best Answer

    Posted 08-05-2016 14:57

    Check out these NAT examples.

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     

    1- source nat interface is page 5

     

    2- destinaton nat port forwarding on page 9



  • 3.  RE: Allow all host hiding NAT and inbount Static / Destination NAT?

    Posted 08-05-2016 15:42

    Thanks for the reply. Because it automatically appears to do the source NAT (which I still find weird) behind the interface, I didn't realise I needed to configure it explicitly. When I did the stuff on page 5, it all kicked into gear. 🙂