SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Destination NAT working fine, but all Hosts are using the same outgoing Public IP

    Posted 04-02-2013 12:03

    Dear Community,

     

    Maybe one of you can help me for a better understanding of Source-NAT?

    I guess my issue could be solved by using the right Source-NAT configuration?

     

    I have configured a Destination NAT like the following example:

     

    Untrust Interface (reth0.0) has Public IP 1.2.3.4/27 (which means any other IP of this subnet is usable on this Interface)

    A host within the Trust Zone has the IP 172.10.10.55/32

     

    Now I made a Destination NAT for Source 0.0.0.0/0 and Destination 172.10.10.55/32

    Of course i made a proxy-arp for reth0.0 with address 1.2.3.5/32 (because the NATted host should be reachable under 1.2.3.5) this all is working fine and the host behind the NAT is reachable under the second public-IP

     

    But when i check the public-ip used on the host itself, i see it's going out with the untrust interface IP 1.2.3.4 and not with 1.2.3.5 what i wish it would do.

     

    I guess now Source-NAT is the key in order to have the host behind NAT using it's <second>Public IP?


    Short description:

     

    IS situation:

     

    1.2.3.5 --DNAT-->172.10.10.55/32 (configured by Proxy-ARP 1.2.3.5 for reth0.0 which is the untrust interface and having 1.2.3.4/27

     

    172.10.10.55/32 --SNAT??-->1.2.3.4 (still using the regular untrust interface IP)

     

    SHOULD situation:

     

    172.10.10.55/32 --SNAT??-->1.2.3.5 (should use the same public IP for outgoing traffic as with Proxy-ARP defined)

     

    Thanks for any hints or input on this.

     

    Best regards,

     

    IT-onBase

     

     

     

     



  • 2.  RE: Destination NAT working fine, but all Hosts are using the same outgoing Public IP

    Posted 04-02-2013 13:10

    If I'm understaning correctly, you would like 172.10.10.55 NATed to 1.2.3.5 whether it is a destination or source NAT going on.  If that's the case, I think you should look into configuring statc nat for this.



  • 3.  RE: Destination NAT working fine, but all Hosts are using the same outgoing Public IP

    Posted 04-02-2013 13:44

    Not sure if we talk about the same.

    The destination NAT from 1.2.3.5 to 172.10.10.55 is working fine.

    But the Public-IP 1.2.3.5 is not configured on the untrust interface. Instead it is configured in Proxy-ARP.

    But now the host 172.10.10.55 is showing 1.2.3.4 as its public-IP (because this is the IP of the untrust interface) and not the 1.2.3.5 as i would.



  • 4.  RE: Destination NAT working fine, but all Hosts are using the same outgoing Public IP
    Best Answer

    Posted 04-02-2013 13:48

    Yes, when 172.10.10.55 initiates a connection to the INET you want the source to look like 1.2.3.5 NOT 1.2.3.4 which is o the interface...I do think static nat is what you are looking for (becasue you have the destination NAT in place already, since you want the source NATed as well I think you sohuld drop the dst nat and go with static)

     

    Take a look at config examples:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST

     

     



  • 5.  RE: Destination NAT working fine, but all Hosts are using the same outgoing Public IP

    Posted 04-02-2013 14:04

    You were right !

    A little different and it resolved my issue.

    Static NAT was the key!

    Thank you so much.

    Everything working as expected now.