08-11-2017 01:28 PM - edited 08-11-2017 01:31 PM
Hi everyone !
One of my client have a srx100 Juniper and i meet a problem for replace a static NAT.
To the juniper, a technician have create a static NAT 2 years ago (in the menu NAT → Static NAT) . The technician have NAT a WAN public address to a LAN private address.
The technician have create this static NAT : WAN address: 220.127.116.11 → LAN address 192.168.1.10 (SRV-02).
This static NAT permit to ping and to have access to the 18.104.22.168.
Today, i would like to replace this static NAT by this :
WAN address: 22.214.171.124 → LAN address 192.168.1.20 (SRV-02).
But when i try to modify this static NAT, my Wan PC wont to ping and have access to the 126.96.36.199.
I have copy and apply the sames policy of the SRV-01 for the new SRV-02.
Thank you for your help.
i'm sorry for the size pictures, i have attached a .PDF of the 2 pictures if you want .
Solved! Go to Solution.
08-12-2017 06:22 AM
In addition to the change of the Static NAT policy, you must also update the sercurity policy that permits the traffic.
NAT is under
security > NAT > Static
Security will be organized by zone
security > policies > from-zone untrust to-zone trust (or your internal zone name post nat)
see the full example on page 13 here
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7
08-13-2017 09:30 AM
Hi Steve Puluka,
Thank you for your answer.
I have checked :
- Policies from-zone untrust to-zone trust → All is openned
- Policies from-zone trust to-zone untrust → All is openned
-The best practices of the static NAT configuration (page 13) → All it's OK
Someone have an other proposition ?
08-13-2017 07:44 PM
Access the cli and from the cli, enter this command and then use the temporary commit, to verify that it works then commit a second time before expiration on temp window to apply it permanently
user@srx100# replace pattern 192.168.1.10 with 192.168.1.20
commit confirmed 8
Test if all works, then if satisfied, enter commit within 8 minutes.
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
08-13-2017 11:35 PM
I have finaly found the solution. On the srv-02, the service windows firewall be crashed. I have restart the service and the access be possible.
Thank you again for your help.