SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  PROBLEM NAT FROM SRX210

    Posted 12-01-2013 10:56
      |   view attached

    As the title says,

    I have problem with nat configurations , my customer need how to webserver from vlan 100 in R2 (SRX210) can publish to R1 from source ip 192.168.100.10:80 to destination IP 172.10.11.2 with port 5050 . I am ready and successful ping to R1 (SRX240) from int router (TP-LINK) and all router R1, R2 with vlan can access to the internet.

     

    this is my topology and can anybody help me please? I need some assistance with configuring.

    sorry my english is not so good.

     

    Capture.JPG

     

     

     

     



  • 2.  RE: PROBLEM NAT FROM SRX210
    Best Answer

    Posted 12-01-2013 18:43

    Hi Marlon,

     

    You'll want to use a destination nat on the SRX240(R1).  Something like:

     

    set security nat destination pool WEB-SERVER address 192.168.100.10/32
set security nat destination pool WEB-SERVER port 80
set security nat destination rule-set EXTERNAL-DNAT from zone <zone facing INT ROUTER>
set security nat destination rule-set EXTERNAL-DNAT rule DNAT-WEB-SERVER match source-address 0.0.0.0/0
set security nat destination rule-set EXTERNAL-DNAT rule DNAT-WEB-SERVER match destination-address 172.10.11.2/32
set security nat destination rule-set EXTERNAL-DNAT rule DNAT-WEB-SERVER match destination-port 5050
set security nat destination rule-set EXTERNAL-DNAT rule DNAT-WEB-SERVER then destination-nat pool WEB-SERVER

set security nat proxy-arp interface <interface facing INT ROUTER> address 172.10.11.2/32

set security zones security-zone <zone facing WEB-SERVER> address-book address WEB-SERVER 192.168.100.10/32
set security policies from-zone <zone facing INT ROUTER> to-zone <zone facing WEB-SERVER> policy ALLOW-WEB-SERVER match source-address 0.0.0.0/0
set security policies from-zone <zone facing INT ROUTER> to-zone <zone facing WEB-SERVER> policy ALLOW-WEB-SERVER match destination-address WEB-SERVER-NAT
set security policies from-zone <zone facing INT ROUTER> to-zone <zone facing WEB-SERVER> policy ALLOW-WEB-SERVER match application junos-http

     will do the trick, then you'll need to put appropriate policies in R2 as well (just permit the traffic).



  • 3.  RE: PROBLEM NAT FROM SRX210

    Posted 12-01-2013 20:09

    Dear Ben Dale,

     

    Thank you for your response, i'll try and follow your clue.



  • 4.  RE: PROBLEM NAT FROM SRX210

    Posted 12-03-2013 09:29

    hii Ben, Problem solved, 


    thank you very much ...

     

    security {
        nat {
            destination {
                pool WEB-SERVER {
                    address 192.168.100.10/32 port 80;
                }
                rule-set EXTERNAL-DNAT {
                    from zone UNTRUST-INET;
                    rule DNAT-WEB-SERVER {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 172.10.11.2/32;
                            destination-port 5050;
                        }
                        then {
                            destination-nat pool WEB-SERVER;
                        }
                    }
                }
            }
            proxy-arp {
                interface fe-0/0/7.0 {
                    address {
                        172.10.11.2/32;
                    }
                }
            }
        }