SRX

I have the following DIP configuration in SSG and would like to configure this in Junos SRX 240. Can I get some tips on how to configure the following in Junos?

set interface ethernet0/0 ext ip 10.20.X.X 255.255.255.255 dip 5 10.20.X.X10.20.X.X
set interface ethernet0/6 ext ip 10.X.X.X 255.255.255.255 dip 4 10.X.X.X 10.X.X.X

Hi,

You can use the ScreenOS to Junos configuration tool for the translation.

Try https://i2j.juniper.net/s2j/index.jsp

Alternatively you can refer to the SRX NAT examples 

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Tim

Thanks.

For a conversion example of ScreenOS DIP to Junos see page 8 in this document

NAT Configuration Examples for ScreenOS Users

https://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/topic-collections/nce/nat-configuration-examples-for-screenos-users/nat-configuration-examples-for-screenos-users.pdf

ScreenOS 

set int e0/0 dip 4 1.1.1.10 1.1.1.15
set policy id 1 from trust to untrust any any any nat src dip-id 4 permit

Junos

set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15
set security nat source rule-set pool-nat from zone trust
set security nat source rule-set pool-nat to zone untrust
set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0
destination-address 0.0.0.0/0
set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15
set security policies from-zone trust to-zone untrust policy permit-all match
source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy permit-all then permit

Thank you for this information. 

If  I have a policy with dst ip would I have to do double nat here with a destination pool? Example:

set policy id 123 from "BLAN" to "SLAN"  "X" "Y" "TCP/6004" nat src dip-id 5 dst ip 10.X.X.X permit log 

Yes, you could use double NAT just as your ScreenOS is configured.  The destination example is on page 23 of the document.

The other possibility is to convert the double NAT into a static NAT instead.  This can be done if the device invovled is the only one using this ip address.  You cannot split ports between multiple devices with Static NAT.  The ScreenOS equivilent is MIP.  Those instructions are on page 17.

https://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/topic-collections/nce/nat-configuration-examples-for-screenos-users/nat-configuration-examples-for-screenos-users.pdf

Thank you. I will do double NAT. 

I did the double NAT on Junos for the following ScreenOS config:

set policy id 123 from "BLAN" to "SLAN"  "X" "Y" "TCP/6004" nat src dip-id 5 dst ip 10.X.X.X permit log

The server with the incoming NAT is getting a error of port 6004 being blocked. Do I need to port translation on the destination NAT?

This policy will allow the stated port through, not change the port with a port translation.  Do you need port translation or just ip address translation?

I need port 6004 to pasthrough incoming with ip address translation.

Also with this double NAT configuration I'm not getting any translation hits on the source NAT but getting hits on the destination NAT. Can you assist on the source nat?I add port 6004 on the dnat pool and a destination nat policy with application TCP-6004.

Here is the source nat rule. The ip addresses used are just for example. 

security {
ike {
respond-bad-spi 1;
}
nat {
source {
pool pool-5 {
address {
10.30.20.10/32 to 10.30.20.10/32;
}
}
pool pool-4 {
address {
10.20.20.7/32 to 10.20.20.7/32;
}
}
rule-set source-nat-1 {
from zone "BLAN";
to zone "ELAN";
rule rule5 {
match {
source-address 10.20.20.1/32;
destination-address 10.20.20.7/32;
}
then {
source-nat {
pool pool-5;
}
}
}
}
rule-set source-nat-2 {
from zone "ELAN";
to zone "BLAN";
rule rule4 {
match {
source-address 10.30.20.1/32;
destination-address 10.30.20.10/32;
}
then {
source-nat {
pool pool-4;
}
}
}
}
}



Source NAT policies

from-zone "BLAN" to "ELAN"

policy 34 {
match {
source-address MI;
destination-address ES;
application TCP/6004;
}
then {
permit;
log {
session-init;

from-zone ELAN to-zone BLAN {
policy 33 {
match {
source-address EA;
destination-address MP;
application TCP/6004;
}
then {
permit;
log {
session-init;


Routes

static {

route 10.20.20.7/32 {
next-hop 10.2.1.1;
preference 20;

}

Are you sure that the zone designations in your NAT rules are correct?

The addresses you list as source and destination to match in the NAT rules look like they are in the same /24 subnet.  But the rule lists two different zones for the match conditions.  The zones need to match the ingress and egress interface zone assignement on the SRX before the rule will be used.