SRX

Hi all,

In SRX series, do we have some thing like ScreenOS as below ?

set interface ethernet0/0 route

set interface ethernet0/1 nat

Or in SRX each every interface mode i cant change it ?

thank you

Hi Lim,

The SRX does not support interface natting. All natting has to be doen in the NAT policy. To simulate the same natting you can use this policy:

security {
    nat {
        source {
            rule-set outbound-source-nat {
                from zone trust;
                to zone untrust;
                rule default {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

To enter this in your config:

set security nat source rule-set outbound-source-nat from zone trust
set security nat source rule-set outbound-source-nat to zone untrust
set security nat source rule-set outbound-source-nat rule default match source-address 0.0.0.0/0
set security nat source rule-set outbound-source-nat rule default then source-nat interface

And a commit of course.

hi,

thanks for the help. In SRX, if the interface i wan to be in "route mode", i just need not do any nat policy so the interface will be in route mode ?

Thank you

Meng Kiat

Hi,

in SRX there's no such thing as route mode or nat mode. If you like think of all interfaces as in route mode. On ScreenOS when trust interface is in NAT mode all traffic from trust zone to untrust is natted on Egress (untrust) interface with PAT. The nat policy I showed gives the same behaviour.