SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Problem with destination nat on SRX240

    Posted 11-02-2012 02:49

    Hi everybody!

     

    I am struggling to do destination-nat with SRX240 series router. My network is as follows:

    outside ip (for connection- ISP ip): 1.1.1.1/24

    inside ip: 2.2.2.2/24 (also used as public ip)

    another inside ip (for devices): 192.168.168.1/24

     

    I need destination nat from 2.2.2.254/24 to 192.168.168.10/24, on port 80. I have configured sub-interface 2.2.2.254/24 and assigned port ge-0/0/5 ip address 192.168.168.1. I did destination address so, that source address was 2.2.2.254/24, destination address 192.168.168.10/24, but I cant get it to work.

     

    When I ping from router all these ip-s, I get correct reply.

     

    My goal is, to use my own public ip as outside address and divert it to 192.168.168.10 ip.

     

    If you need any additional info, please let me know.

    Thanks in advance!

     



  • 2.  RE: Problem with destination nat on SRX240

    Posted 11-02-2012 05:07

    Hi,

     

    If possible, could you please put your requirement in a diagram for better understanding ?



  • 3.  RE: Problem with destination nat on SRX240

    Posted 11-03-2012 12:41

    Actually there isnt much to diagram. Its more or less like:

     

    internet ->ge-0/0/0 [uses 1.1.1.1/24 ip, as next hop] -> ge-0/0/2 [uses 192.168.168.1/24 ip for home network] (I have confirmed and I can get internet access from that interface.) Also I have one extra public ip, to use- 2.2.2.254/24, whitch I have attached to lo0 interface.

     

    On that ge-0/0/2 interface I have attached one device, with ip 192.168.168.10, and my goal is, to get access with 2.2.2.254 ip to that 192.168.168.10 device.



  • 4.  RE: Problem with destination nat on SRX240
    Best Answer

    Posted 11-03-2012 21:58

    OK, Then the following configuration should achieve this -

     

    [edit security nat destination]
 
set pool mypool address 192.168.168.10 
set rule-set rs1 from zone internet << your internet facing interface zone
set rule-set rs1 rule r1 match destination-address 2.2.2.254/32
set rule-set rs1 rule r1 then destination-nat pool mypool

Then configure the security policy accordingly ...

set security zones security-zone home address-book address web_server 192.168.168.10

set security policies from-zone internet to-zone home policy p1 match source-address any 
set security policies from-zone internet to-zone home policy p1 match destination-address web_server
set security policies from-zone internet to-zone home policy p1 match application any (or junos-http to be specific)
set security policies from-zone internet to-zone home policy p1 then permit

     Also, it is not required (mandatory) to attach the public ip to lo0.0 interface. As your external interface and this IP are in different networks, normal routing should deliever the packets destined to that address from your ISP to your device. If they are in same network (like single /24) , then we can do with proxy-arp.



  • 5.  RE: Problem with destination nat on SRX240

    Posted 11-04-2012 03:07

    It works! Thank you very much!