SRX Services Gateway
Reply
Visitor
ianmacd
Posts: 3
Registered: ‎04-01-2011
0

Can an SRX conditionally do NAT, based on packet source address?

Hello,

 

I'm considering buying an SRX gateway, but am having trouble determining whether it can be made to meet a slightly odd requirement that I have. I'll describe that requirement for you now.

 

I have DSL, routed through a FRITZ!Box 7170 DSL modem doing NAT. The NAT cannot be turned off.

 

I also have cable, routed through a dumb Cisco cable modem that acts as a bridge.

 

Basically, I want to configure the SRX with 3 interfaces: 1 to the LAN, 1 to DSL and 1 to cable.

 

Based on the source address of packets from the LAN, I want to either:

 

 

  • route them through the DSL modem without performing NAT (because the DSL modem will do that)
  • perform NAT on them and route them through the cable modem

 

I'm having trouble determining whether the SRX can be set up to conditionally NAT traffic from the LAN in this way, depending on the source address of the packet.

 

Can anyone tell me whether this can be accomplished with an SRX?

 

Thanks,

 

Ian

--
Ian Macdonald
Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: Can an SRX conditionally do NAT, based on packet source address?

Hi,

 

Yes, you can accomplish this with the SRX.  You can bind your cable modem interface to the untrust and use a basic source NAT rule (see below).  Your DSL interface can be bound to a DSL zone and left out of your source NAT rule.  However, you will need to plan out how to handle routing your traffic across both ISP's.  I've seen success using Routing Instances, Filter Based Forwarding and primary/backup routing.

 

1srx1> show configuration security nat           
source {
    rule-set trust-to-untrust {
        from zone trust;
        to zone untrust;
        rule source-nat-rule {
            match {
                source-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

 

John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
ianmacd
Posts: 3
Registered: ‎04-01-2011
0

Re: Can an SRX conditionally do NAT, based on packet source address?

Thanks for your reply. Nice to know that what I want to do is possible.

 

Regarding the routing of the traffic over cable or DSL, I want some machines to go over cable (with NAT) and others to go over DSL (without NAT, because the DSL modem will take care of it). I could just configure different gateways on the individual machines, but I want to centralise the configuration, which is why I'm considering the SRX.

 

So, I just need to be able to tell the SRX to route some non-contiguous IP addresses on my 192.168.168.0/24 network over cable and others over DSL. If I can do that in combination with applying NAT to the cable-bound addresses whilst leaving the DSL-bound addresses untouched, then the SRX sounds as if it will be the right box for the job.

 

Can you confirm that this set-up will work with the SRX?

 

Cheers,

 

Ian



--
Ian Macdonald
Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: Can an SRX conditionally do NAT, based on packet source address?

Yes, this can be done easily.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.