SRX Services Gateway
Reply
Ash
Contributor
Ash
Posts: 14
Registered: ‎06-13-2009
0
Accepted Solution

NAT configuration help on SRX

any document available online, which i can use for NAT configuration likr source-nat, destination-nat etc. example and details.

 

--ash

Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008

Re: NAT configuration help on SRX

http://www.juniper.net/us/en/products-services/security/srx-series/srx5600/

 

please check above link, go under tab - "literature" it has pdf available for NAT configuration on srx and j-series

 

please let me know if you find difficulty configuration NAT.

 

thanks

Raheel Anwar

 

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Contributor
jmartinez
Posts: 45
Registered: ‎09-28-2009
0

Re: NAT configuration help on SRX

hello 

 

i have a problem with nat, if i use the conversion tool from SCREENOS to JUNOS i see that the nat configuration is applied int the policie set:

 

 policy 38 {

                match {

                    source-address delegations

                    destination-address untrust

                    application HTTP_HTTPS_FTP_GET

                }

                then {

                    permit {

                        firewall-authentication {

                            pass-through

                        }

                        source-nat {

                            interface

                        }

                    }

                    count

                }

            }

 

if i try to put this configuration in CLI, the  source-nat interface is not a possibility. i have to configure the nat rule on security-->NAT--Source hierarchy and a policy to match the traffic? i don´t understand what's the correct way in order to configure a source nat interface, it's necessary a policy and a NAT rule-set? it's possible to say in NAT rule-set source/destination address and an application to match?

 

thanks and regards 

Trusted Contributor
Optimist
Posts: 60
Registered: ‎09-09-2009
0

Re: NAT configuration help on SRX

Hi jmartinez,

 

the config is indeed wrong. You have to configure both nat-rules and policy.

If you are familiar wit screenos nat you'll like this application note with config examples:

http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf

 

best regards

Thorsten

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
A kudo would be cool if you think I earned it.

 

Contributor
jmartinez
Posts: 45
Registered: ‎09-28-2009
0

Re: NAT configuration help on SRX

Thanks for reply optimist, i'll check this pdf.

 

regards. 

Visitor
fastwave_noc
Posts: 4
Registered: ‎05-04-2010
0

Re: NAT configuration help on SRX

I'm a bit confused as to why this statement is needed (from http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf and all the other app notes I've read about static NAT):

 

set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32

 

After talking to some colleagues who work with Cisco and Linux-based routers, it seems like the default behavior is for the arp tables to be built automatically based on the NAT rules on those routers. Is that not the case in Junos, or is there something specific to static NAT going on? I noticed that the proxy-arp statement is neccessary for source NAT as well.

Recognized Expert
Dominik
Posts: 392
Registered: ‎01-05-2008
0

Re: NAT configuration help on SRX

Hi,

 

you are right. JUNOS does, by default, only respond to ARP queries for IP addresses that are directly configured on the interfaces. If you use NAT with different IPs, you have to manually enable ARP responses by issuing the proxy-ARP command you mentioned.

 

It was also the ScreenOS behavior to do this automatically, at least for MIP, VIP and DIP objects. Not in case you were using destination NAT.

 

I don't know the reasons why you have to do this manually. A possible explanation would be that in case you define your NAT rules based on zones and you have more than one interface in that zone, JUNOS would not know on what interface you would like to respond to ARP queries. There might be other reasons too.

 

In fact it is one of these thing you don't care about if you know it. I agree, that this is a little bit unfamiliar for many that come from different firewall systems.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.