SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NAT configuration issue

    Posted 12-01-2014 12:48

    Trying to translate 172.27.61.158/32 to 10.10.10.151/32.

    Here is the config my collegue left for me:

    set groups eon-policy security policies from-zone <*> to-zone EON policy eon-151 match source-address any
    set groups eon-policy security policies from-zone <*> to-zone EON policy eon-151 match destination-address eon-10-151
    set groups eon-policy security policies from-zone <*> to-zone EON policy eon-151 match application junos-https
    set groups eon-policy security policies from-zone <*> to-zone EON policy eon-151 match application junos-http
    set groups eon-policy security policies from-zone <*> to-zone EON policy eon-151 then permit
    set security nat destination pool eon-151 address 10.10.10.151/32
    set security nat destination rule-set dest-nat rule r-eon-158 match destination-address 172.27.61.158/32
    set security nat destination rule-set dest-nat rule r-eon-158 then destination-nat pool eon-151
    set security nat proxy-arp interface reth2.0 address 172.27.61.158/32
    set security zones security-zone EON address-book address eon-10-151 10.10.10.151/32
    set security zones security-zone Trust address-book address-set eon-set address eon-158
    set security zones security-zone Trust address-book address eon-158 172.27.61.158/32

     

    Here is the error I am getting:

     

    [edit security nat destination]
          rule-set eon-nat { ... }
    +     rule-set dest-nat {
    +         rule r-eon-158 {
    +             match {
    +                 destination-address 172.27.61.158/32;
    +             }
    +             then {
    +                 destination-nat pool eon-151;
    +             }
    +         }
    +         ## Warning: missing mandatory statement(s): 'from'
    +     }
    +     rule-set r-eon-158 {
    +         from zone [ Untrust trust ];

     

    can someone help me spot the problem ? My first time working with SRX firewall. I came form the ASA world.

     

    Thanks,

     

    Hansen



  • 2.  RE: NAT configuration issue
    Best Answer

    Posted 12-01-2014 18:05

    Hi Hansen,

     

    Delete the destination nat statement that you have configured.

     

    delete security nat destination rule-set dest-nat

     

    copy paste the configuration below: I am hoping 172,27.61.158 belong to Trust zone of Reth2.

    proxy arp is needed.

    ++++++++++++++++++++++

    root@Site-A# show security nat destination | display set

    set security nat destination pool eon-151 address 10.10.10.151/32

    set security nat destination rule-set dest-nat from zone Trust

    set security nat destination rule-set dest-nat rule r-eon-158 match destination-address 172.27.61.158/32

    set security nat destination rule-set dest-nat rule r-eon-158 then destination-nat pool eon-151

     

     

    root@Site-A# show security nat destination

    pool eon-151 {

    address 10.10.10.151/32;

    }

    rule-set dest-nat {

    from zone Trust;

    rule r-eon-158 {

    match {

    destination-address 172.27.61.158/32;

    }

    then {

    destination-nat pool eon-151;

    }

    }

    }

    http://www.juniper.net/documentation/en_US/junos12.1/topics/example/nat-security-destination-single-address-translation-configuring.html

     

    Security policy needs to be applied correctly.

     

    Regards

    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     

     



  • 3.  RE: NAT configuration issue

    Posted 12-02-2014 08:43


  • 4.  RE: NAT configuration issue

    Posted 12-02-2014 08:46

    Thank you very much rparthi. Your solution was headed in the right direction. Actually icmp was turn off on the Firewall and the user was trying to ping.

     

    Http and https are working now Kudos my friend. I will make sure next time to mask at least two octets my IP addresses.