SRX

Hi

I want use ping command with "source" attribute.

My topology is a router connect to internet and I use private IP block in my local network and configured NAT to connect to internet. There is no problem to connecting to internet from my local side.

I want to ping any IP address which is pingable server on internet such as google with "source" like

ping 8.8.8.8 source 192.168.1.1

But it fails.. 

Is there any additional needs to pinging with "source" attribute if selected interface is behind nat?

You're trying to ping from a private IP address, which isn't routable over the Internet. You have NAT configured, source from the public address being used for NAT.

in addition, need to create a NAT rule sourced from junos-host zone:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB26372

Something like this...

set security nat source rule-set JunOS-Host_to_Untrust from zone junos-host
set security nat source rule-set JunOS-Host_to_Untrust to zone Untrust
set security nat source rule-set JunOS-Host_to_Untrust rule NAT_Interface match source-address 192.168.1.1/32
set security nat source rule-set JunOS-Host_to_Untrust rule NAT_Interface match destination-address 0.0.0.0/0
set security nat source rule-set JunOS-Host_to_Untrust rule NAT_Interface then source-nat interface

Regards,

Sam

Thank you so much your replies but you dont understand me clearly.

I mean I already made NAT configuration well and my network which is in local area can connect real world.

I just want to know why the router is not decide when I use a local source which is behind NAT this IP in my NAT interface I should use nat.

like this

ping 8.8.8.8 source 192.168.1.1  (mhmm this ip is my local interface I have to use NAT) 

For example when I make same configuration on any cisco device and use "source" interface for pinging if your NAT configuration is true you can ping. But on juniper I cannot. 

Hello.

The KB article I referenced applies to your situation.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB26372 --"How to configure the source NAT for self generated traffic"

One of SRX's funny behaviors...

Regards,

Sam

I thought I would add a config snippet if people are trying to achieve the same goal you are but for SRX1xx/2xx chassis.

set interfaces lo0 unit 1 family inet address 1.1.1.1/24
set security nat source pool TEST address xx.xx.xx.xx/32  <-- Public IP you are using.
set security nat source rule-set TEST from zone junos-host
set security nat source rule-set TEST to zone zone-ext
set security nat source rule-set TEST rule TEST1 match source-address 1.1.1.1/32
set security nat source rule-set TEST rule TEST1 match destination-address 0.0.0.0/0
set security nat source rule-set TEST rule TEST1 then source-nat pool TEST
set security nat proxy-arp interface fe-0/0/1.0 address xx.xx.xx.xx/32  <-- Same as on line 2 above.  Also the interface is the same interface you are performing the NAT for.
Drop your loopback into the correct routing instance.
set routing-instances TEST interface lo0.1

Issues I encoutered were that I had an existing NAT source pool which I could not duplicate so had to remove the pool and associated nat rules.  Therefore this was only useful for me for a quick intrusive test.

Contruct your ping like the below (either add routing instance or not if you have one):

ping xx.xx.xx.xx source 1.1.1.1 routing-instance TEST

Thanks