SRX

We have a business partner that sends print jobs to a print server in our network.  This business partner can connect to us via our primary and secondary datacenters through an SRX at each location.  They cannot route natively to the IP of the printer, so we must use NAT, but they can only input one entry into their software for the printer.  In my mind, the following would work, but I don't really see this setup discussed much online, please let me know if this would be successful, or if I'm missing something:

Printer Native IP = 1.1.1.1

Business Partner sees 2.2.2.2

Business partner routes to 2.2.2.2 over primary link SRX and backup link SRX with appropriate cost/preference.

On both SRX's, we DNAT 2.2.2.2 to 1.1.1.1 on the outside and then source NAT on the inside before the traffic is sent into our internal network to the print server.  This way, if the print server needs to respond, it takes the appropriate path to pass through the SRX that did the DNAT.

I don't really see how this would cause any issues since these aren't static NAT's.

Any input?  I would love to just put the NATs at our core firewalls so they're closest to the end devices, but the print server is not on a subnet that we segregate there.

Any help would be appreciated.

Thanks!

Applying the source NAT and DNAT as you specified will work for you in this scenario.

Static NAT is needed only if the Printer initiates a connection to your business partner site, which is not expected.

Thanks,

Suraj 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit

Perfect.  I just wanted to make sure I wasn't missing anything since I don't see much info on this type of config online and I think it would be somewhat common in these weird situations.