SRX Services Gateway
Reply
Visitor
radi
Posts: 2
Registered: ‎07-08-2010
0

SRX240 NAT problem

[ Edited ]

Hi!

I'm new in SRX topic so please help me. I'm trying to configure my network with 2 VLANs (1 - 192.168.0.0/24 for computers and 2 - 192.168.1.0/24 for servers). Servers are static nated with external IP addresses. Everything seems to be working fine except for the servers. When I'm logged on one of them (for exemple WWW) I cant reach website witch is running on it. So if I write DNS name www.......pl - nothing, when I write external IP address - nothing, internal (192.....) - works fine, localhost - alsow. All the other websites works ok. Server is reachable from the outside and from the second VLAN.

This is my configuration in the attachment:

 

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009
0

Re: SRX240 NAT problem

I don't think you need the source NAT for trust to DMZ connetivity.

 

rule-set trust-to-DMZ {
                from zone trust;
                to zone DMZ;
                rule trust-to-DMZ {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

 

I don't get that static nats with a source of trust but external IP address space, you already have these in the untrust statics.

 

rule-set static-nat-trust {
                from zone trust;
                rule whistler-2 {
                    match {
                        destination-address 156.17.123.2/32;
                    }
                    then {
                        static-nat prefix 192.168.1.2/32;
                    }
                }
                rule liber-2 {
                    match {
                        destination-address 156.17.123.3/32;
                    }
                    then {
                        static-nat prefix 192.168.1.3/32;
                    }
                }
                rule diablo-2 {
                    match {
                        destination-address 156.17.123.4/32;
                    }
                    then {
                        static-nat prefix 192.168.1.4/32;
                    }
                }
            }
        }

 

Finally, you have no policy from untrust to trust for 192.168.0.30/32.

 

 

 

Visitor
radi
Posts: 2
Registered: ‎07-08-2010
0

Re: SRX240 NAT problem

Thanks for your advice. About this second nat, if I remove it, hosts from trust zone can't access servers from DMZ by their DNS names or external IP addresses.

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009
0

Re: SRX240 NAT problem

AH interesting.  I've always had internal DNS so I didn't run into it, good to know.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.