SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
radi
Visitor
radi
Posts: 2
Registered: ‎07-08-2010
0

SRX240 NAT problem

[ Edited ]
Options

‎07-08-2010 01:11 PM - edited ‎07-08-2010 01:12 PM

Hi!

I'm new in SRX topic so please help me. I'm trying to configure my network with 2 VLANs (1 - 192.168.0.0/24 for computers and 2 - 192.168.1.0/24 for servers). Servers are static nated with external IP addresses. Everything seems to be working fine except for the servers. When I'm logged on one of them (for exemple WWW) I cant reach website witch is running on it. So if I write DNS name www.......pl - nothing, when I write external IP address - nothing, internal (192.....) - works fine, localhost - alsow. All the other websites works ok. Server is reachable from the outside and from the second VLAN.

This is my configuration in the attachment:

 

Attachment new.txt ‏11 KB
Message 1 of 4 (3,460 Views)
 
Reply
Super Contributor
colemtb
Posts: 307
Registered: ‎09-30-2009
0

Re: SRX240 NAT problem

Options

‎07-09-2010 11:38 AM

I don't think you need the source NAT for trust to DMZ connetivity.

 

rule-set trust-to-DMZ {
                from zone trust;
                to zone DMZ;
                rule trust-to-DMZ {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

 

I don't get that static nats with a source of trust but external IP address space, you already have these in the untrust statics.

 

rule-set static-nat-trust {
                from zone trust;
                rule whistler-2 {
                    match {
                        destination-address 156.17.123.2/32;
                    }
                    then {
                        static-nat prefix 192.168.1.2/32;
                    }
                }
                rule liber-2 {
                    match {
                        destination-address 156.17.123.3/32;
                    }
                    then {
                        static-nat prefix 192.168.1.3/32;
                    }
                }
                rule diablo-2 {
                    match {
                        destination-address 156.17.123.4/32;
                    }
                    then {
                        static-nat prefix 192.168.1.4/32;
                    }
                }
            }
        }

 

Finally, you have no policy from untrust to trust for 192.168.0.30/32.

 

 

 

Message 2 of 4 (3,420 Views)
 
Reply
radi
Visitor
radi
Posts: 2
Registered: ‎07-08-2010
0

Re: SRX240 NAT problem

Options

‎07-09-2010 03:00 PM

Thanks for your advice. About this second nat, if I remove it, hosts from trust zone can't access servers from DMZ by their DNS names or external IP addresses.

Message 3 of 4 (3,410 Views)
 
Reply
Super Contributor
colemtb
Posts: 307
Registered: ‎09-30-2009
0

Re: SRX240 NAT problem

Options

‎07-10-2010 01:14 PM

AH interesting.  I've always had internal DNS so I didn't run into it, good to know.

Message 4 of 4 (3,391 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.