SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NAT setup/design, migrating from sonicwall to SRX220

    Posted 10-08-2014 11:54

    Please assist or point me in the right direction, having trouble understanding how to migrate my current NAT rules to junos, my lack of fully understanding all the NAT types isn't helping. Learning as I go

     

    Following is my config off the sonicwall (single website example), I'm not sure how to translate that into source/dest/static NAT on juniper. I have all the address objects, security zones and interfaces created

     

     

                       
      Purpose IP Source IP Destination Service (Port) Interface
        Original Translated Original Translated Original Translated Inbound Outbound
                       
                       
    WAN Inbound Translations                
      domain.com on DMZ2-Web1 192.168.x.xx-domain.com 1.1.1.1-domain.com Any Original Any Original Any WAN
      domain.com on DMZ2-Web1 Any Original 1.1.1.1-domain.com 192.168.x.xx-domain.com HTTP-HTTPS Original WAN Any
      domain.com on DMZ2-Web1 All_C1DMZ_Subnets WAN Primary IP 1.1.1.1-domain.com 192.168.x.xx-domain.com HTTP-HTTPS Original Any Any
      Monitoring Any Original 1.1.1.1-domain.com 192.168.x.xx-domain.com junos-icmp-ping Original WAN Any

     

     

    In the sonicwall config, "WAN Primary IP" was an auto created address object that linked to the single firewall's external IP address. Now we are going to have multi-homed BGP with a block of IPs from ARIN. I assume the IP I map these NAT rules to needs to be a part of the IP block that fails over between ISPs? (active/passive BGP and SRX cluster setup)

     

    Thank you



  • 2.  RE: NAT setup/design, migrating from sonicwall to SRX220
    Best Answer

    Posted 10-11-2014 05:41

    On the SRX nat does work essentially in the same way that it does on Sonicwall.  You will be configuring a nat policy in the nat hierarchy and your securty policy to permit the traffic under security policies.  The main difference with SRX from Sonicwall is we label the source and destination by zone istead of interface.

     

    You will find the main examples on the nat configuration in TN81 here:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

     

    You may also find this collection of nat troubleshooting KB articles helpful.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB21922



  • 3.  RE: NAT setup/design, migrating from sonicwall to SRX220

    Posted 10-13-2014 07:31

    Thanks for the help and links, I was able to find an article that explained NAT well and was able to create the rules, need to test them now.

     

    Can you comment on my 2nd question below?

     

    In the sonicwall config, "WAN Primary IP" was an auto created address object that linked to the single firewall's external IP address. Now we are going to have multi-homed BGP with a block of IPs from ARIN. I assume the IP I map these NAT rules to needs to be a part of the IP block that fails over between ISPs? (active/passive BGP and SRX cluster setup).

     

    Thanks



  • 4.  RE: NAT setup/design, migrating from sonicwall to SRX220

    Posted 10-13-2014 08:27

    Hi FredS,

     

    Pl find the below link that may help you to do configuration of BGP withChassis cluster configuration on SRX.

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/Active-Passive-cluster-and-BGP/td-p/242122