SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 7
Registered: ‎03-01-2017
0 Kudos
Accepted Solution

SRX100 - Problem for modifiy a static NAT

[ Edited ]

Hi everyone !

 

One of my client have a srx100 Juniper and i meet a problem for replace a static NAT.

 

To the juniper, a technician have create a static NAT 2 years ago (in the menu NAT → Static NAT) . The technician have NAT a WAN public address to a LAN private address.

 

The technician have create this static NAT : WAN address: 185.46.95.125 → LAN address 192.168.1.10 (SRV-02).

 

This static NAT permit to ping and to have access to the 185.46.95.125.

 

 Dessin1.png

 

Today, i would like to replace this static NAT by this :

 

WAN address: 185.46.95.125 → LAN address 192.168.1.20 (SRV-02).

 

But when i try to modify this static NAT, my Wan PC wont to ping and have access to the 185.46.95.125.

 

Dessin2.png

 

I have copy and apply the sames policy of the SRV-01 for the new SRV-02.

  

Thank you for your help.

 

i'm sorry for the size pictures, i have attached a .PDF of the 2 pictures if you want Smiley Happy .

 

 

Distinguished Expert
Posts: 5,020
Registered: ‎03-30-2009
0 Kudos

Re: SRX100 - Problem for modifiy a static NAT

In addition to the change of the Static NAT policy, you must also update the sercurity policy that permits the traffic.

 

NAT is under 

security > NAT > Static

 

Security will be organized by zone

 

security > policies > from-zone untrust to-zone trust (or your internal zone name post nat)

 

see the full example on page 13 here

 

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Visitor
Posts: 7
Registered: ‎03-01-2017
0 Kudos

Re: SRX100 - Problem for modifiy a static NAT

Hi Steve Puluka,

 

Thank you for your answer.

 

I have checked :

- Policies from-zone untrust to-zone trust → All is openned

- Policies from-zone trust to-zone untrust → All is openned 

-The best practices of the static NAT configuration (page 13) → All it's OK

 

Someone have an other proposition ?

 

Thank you.

Distinguished Expert
Posts: 1,910
Registered: ‎06-06-2011
0 Kudos

Re: SRX100 - Problem for modifiy a static NAT

Access the cli and from the cli, enter this command and then use the temporary commit, to verify that it works then commit a second time before expiration on temp window to apply it permanently

user@srx100# replace pattern 192.168.1.10 with 192.168.1.20

commit confirmed 8

Test if all works, then if satisfied, enter commit within 8 minutes.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Visitor
Posts: 7
Registered: ‎03-01-2017
0 Kudos

Re: SRX100 - Problem for modifiy a static NAT

Hi everyone,

I have finaly found the solution. On the srv-02, the service windows firewall be crashed. I have restart the service and the access be possible.

Thank you again for your help.