SRX

We just migrated from a Netscreen 5GT to a Juniper SRX210 in one of our sites.

In this site we have two subnets in the Trust zone (now in the Trust Vlan): 10.5.0.0/16 and 192.168.1.0/24. The firewall is configured with an IP address from both subnets (so the Trust-vlan interface has two IP addresses).

All internal workstations and servers work on the 10.5.0.0 subnet, and we host a few servers on the 192.168.1.0 subnet (these servers had MIP entries on the 5GT and now have Static-Nat entries on the SRX210).

On the 5GT we had no problems accessing the servers in the 192.168 subnet both internally and externally via the internet. 

On the SRX210 however, we can reach the hosted servers fine EXternally (via the public IP address -> Natted to the 192.168 internal addresses) but we can NOT reach those servers internally.

So e.g. a workstation with IP address 10.5.1.2 tries to reach the public IP 201.201.1.4. This IP has a static NAT entry on the SRX210 to translate to 192.168.1.4, but it cannot reach any resources.

It seems like there is a difference in the way this traffic is handeled by the 5GT and the SRX210. SHould I use a different configuration? Use a different Vlan perhaps?

Hi,

I think you are trying to perform Hairpin NAT.  Have a read here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639

Thanks, that is the solution!

However I would like to add something:

In My case, in stead of using destination-Nat I added a static NAT entry for the Trust zone, that is basically a duplicate from the Static nat entry on the Untrust zone.

And I also had to set a Policy:

from-zone trust to-zone trust {
policy trust-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}

This is also new and was not needed on the 5GT (I think not even possible), so this was a little confusing, but now it makes sense.