SRX

Hi all,

I have the following rule-set in Place:

set security nat source rule-set internal-to-external from zone internal
set security nat source rule-set internal-to-external to zone external
set security nat source rule-set internal-to-external rule nat-internal match source-address 172.16.2.0/24
set security nat source rule-set internal-to-external rule nat-internal match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-external rule nat-internal then source-nat interface

working just fine.

I implemented an IPsec Tunnel. The Packets arrive at the other end of the Tunnel (172.16.16.0/24) with my WAN-Address - then I remembered that NAT was in place...

So I tried:

set security nat source rule-set internal-to-external-no-nat from zone internal
set security nat source rule-set internal-to-external-no-nat to zone external
set security nat source rule-set internal-to-external-no-nat rule no-nat-internal match source-address 172.16.2.0/24
set security nat source rule-set internal-to-external-no-nat rule no-nat-internal match destination-address 172.16.16.0/24
set security nat source rule-set internal-to-external-no-nat rule no-nat-internal then source-nat off

followed by:

insert security nat source rule-set internal-to-external-no-nat before rule-set internal-to-external

Unfortunately I cannot commit this:

[edit security nat source]
  'rule-set internal-to-external'
    rule-set internal-to-external and rule-set internal-to-external-no-nat have same context.
error: configuration check-out failed

How to solve this? I need NAT for all destinations except 172.16.16.0/24

Thank you for your help

Hello,

Here you have two options:

1) Do not create two rule-sets. Keep one rule set & create two rules under the same rule-set as context is same. And insert the nat-off rule before interface nat rule. Configuration would be something like this:

set security nat source rule-set internal-to-external from zone internal
set security nat source rule-set internal-to-external to zone external
set security nat source rule-set internal-to-external rule no-nat-vpn match source-address 172.16.2.0/24
set security nat source rule-set internal-to-external rule no-nat-vpn match destination-address 172.16.16.0/24
set security nat source rule-set internal-to-external rule no-nat-vpn then source-nat off
set security nat source rule-set internal-to-external rule nat-internal match source-address 172.16.2.0/24
set security nat source rule-set internal-to-external rule nat-internal match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-external rule nat-internal then source-nat interface

Here is a link for the same.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24404

2) Or a slightly out of the box way if using route based VPN is to keep st0.x interface in different zone other than zone external so nat exempt is required.

Regards,

Rushi

Hi Rushi,

thank you very much - I didn't realize, that I can have "multiple" rules under the same set - thats why i tried creating 2 Rule-sets.

Working like a charm - again thank you very much 🙂