SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Need help on Static NAT

    Posted 09-12-2011 11:19

    Hi All

     

    I am  trying to configure Static NAT on SRX 220 but it is not working.

     

    Below is config details

     

    SRX software ver 10.4R6.5

     

    Untrust -----  10.10.10.2/29

    Trust -------- 192.168.2.1/26

                          

    set security nat static rule-set VC from zone untrust
    set security nat static rule-set VC rule Video-VC match destination-address 10.10.10.5/32
    set security nat static rule-set VC rule Video-VC then static-nat prefix 192.168.2.62/32
    set security nat proxy-arp interface ge-0/0/2.0 address 10.10.10.5/32

    set security zones security-zone trust address-book address VC-unit 192.168.2.62/32

    set security policies from-zone untrust to-zone trust policy vc-unit match source-address any destination-address any application any
    set security policies from-zone untrust to-zone trust policy vc-unit then permit
    set security policies from-zone trust to-zone untrust policy vc-unit match VC-unit any destination-address any application any
    set security policies from-zone trust to-zone untrust policy vc-unit then permit

     

    Help me get solution on Static NAT

     

    Regards

    Hemant Shingane

     

     



  • 2.  RE: Need help on Static NAT
    Best Answer

    Posted 09-12-2011 13:01

    Static NAT happens before the traffic hits the policy engine.

     

    Try changing your trust->untrust policy to reference source 10.10.10.5 rather than the 192.168.2.62 address.



  • 3.  RE: Need help on Static NAT

    Posted 09-14-2011 00:23

    Hi keithr

     

    Thanks

     

    Your solution is accepted. It works with changes ip address to public.

     

    set security nat static rule-set VC from zone trust
    set security nat static rule-set VC rule Video-VC match destination-address 10.10.10.5/32
    set security nat static rule-set VC rule Video-VC then static-nat prefix 192.168.2.62/32
    set security nat proxy-arp interface ge-0/0/2.0 address 10.10.10.5/32

    set security zones security-zone trust address-book address VC-unit 10.10.10.5/32

    set security policies from-zone untrust to-zone trust policy vc-unit match source-address any destination-address any application any
    set security policies from-zone untrust to-zone trust policy vc-unit then permit
    set security policies from-zone trust to-zone untrust policy vc-unit match VC-unit any destination-address any application any
    set security policies from-zone trust to-zone untrust policy vc-unit then permit

     

    Thanks

    Hemant Shingane

    CCNP JNCIA