SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX NAT

    Posted 09-19-2017 00:18

    Hi,

    Well basically I am much new to SRX environment and I need to NAT a public Ip to 2 private IP's on different ports.
    In Cisco it is quite easy but in JunOS I dont have a clue how it is to be done, anyone can help kinndly with display set configuration.



  • 2.  RE: SRX NAT

    Posted 09-19-2017 01:12

    Furthermore one of the private IP is in one zone whereas the other private IP is in a different zone.



  • 3.  RE: SRX NAT
    Best Answer

     
    Posted 09-19-2017 02:37

    Create 2 address Pools for each private IP and assosiated port

     

    set security nat destination pool Address-1 address 192.168.1.1/32
    set security nat destination pool Address-1 address port 80
    set security nat destination pool Address-2 address 172.16.1.1/32
    set security nat destination pool Address-2 address port 443

     

    Destination NAT rule
    set security nat destination rule-set Rule-set-1 from routing-instance default --> This can be zone or interface on whihc actual traffuc reach SRX


    set security nat destination rule-set Rule-set-1 rule 1 match destination-address 4.4.4.4/32
    set security nat destination rule-set Rule-set-1 rule 1 match destination-port 80
    set security nat destination rule-set Rule-set-1 rule 1 then destination-nat pool Address-1


    set security nat destination rule-set Rule-set-1 rule 2 match destination-address 4.4.4.4/32
    set security nat destination rule-set Rule-set-1 rule 2 match destination-port 443
    set security nat destination rule-set Rule-set-1 rule 2 then destination-nat pool Address-2

     

     

    make sure you have security policies for each private IP zones, we dont have to specify them on NAT rule.



  • 4.  RE: SRX NAT

    Posted 09-20-2017 01:39

    Hi Suraj,

     

    Thanks for this I am having couple of things more on it.
    The routing-instance on which the traffic will be coming on the SRX is already having static nat, so still can I configure the one you said set security nat destination rule-set...

    Also if I am not wrong the security policy will be something like this

    set security policy from-zone untrust to-zone trust policy ABC match source-address any

    set security policy from-zone untrust to-zone trust policy ABC match destination-address address-1

    set security policy from-zone untrust to-zone trust policy ABC then applciation junos-http

     

    Kindly let me know if it is correct. Also like what is the difference in the nat destination pool address and the address book as if I am not worng the address-book is the IP address of the subject in that zone, can you please clarify this.



  • 5.  RE: SRX NAT

     
    Posted 09-20-2017 03:01
    The routing-instance on which the traffic will be coming on the SRX is already having static nat, so still can I configure the one you said set security nat destination rule-set...

    You can still use routing-instance match.

    Policy config should be as below.

    set security policy from-zone untrust to-zone trust policy ABC match source-address any
    set security policy from-zone untrust to-zone trust policy ABC match destination-address address-1
    set security policy from-zone untrust to-zone trust policy ABC match applciation junos-http
    set security policy from-zone untrust to-zone trust policy ABC then perming

    Same way you need to write another policy on which address 2 is connected .


  • 6.  RE: SRX NAT

    Posted 09-20-2017 03:10 
    The routing-instance on which the traffic will be coming on the SRX is already 
having static nat, so still can I configure the one you said set security nat 
destination rule-set...

    Not sure what you mean by this but:

     

    You cannot use the SAME ip address in both static NAT and forwarding different ports to separate servers.

     

    You do configure as the rule in the same hierarchy as Suraj notes if the addresses are different.

     

     



  • 7.  RE: SRX NAT

    Posted 09-20-2017 03:45

    well what I mean is I am having some ip's with static nat already in this zone I am having to do it via proxy-arp as the ISP has given a subnet of public IP's which are to be used for publising and other stuff.
    I will configure different IP's for static NAT and destination NAT
    but my question was if I am doing it like two type of NAT's (Static/Destination) coming on same Zone of SRX it will not create any issues right or wrong.



  • 8.  RE: SRX NAT

    Posted 09-20-2017 03:49

    Thanks to you both I found what I was looking for.
    If I get to face any problem I will revert.



  • 9.  RE: SRX NAT

    Posted 09-19-2017 02:59

    Your example is on page 9 the one to many.

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     

    Basically, you have separate rules for NAT and security policy based on the zone to zone initiation direction.