Dear Community,
I am trying to do a simple destination NAT but so far without success.
Maybe one of you has an idea why it is now working for us?
What we want do is a simple Destination NAT from one of our public IP's configured on the untrust zone to one of our hosts within a dedicated management zone.
Scenario on our SRX650 A/P cluster:
reth0.0 untrust interface with two public IP's:
root@mysrx650# show interfaces reth0
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address xx.xx.10.4/27;
address xx.xx.10.5/27;
}
}
reth2.0 management interface with yy.yy.0.1/16:
root@mysrx650# show interfaces reth2
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
vlan-id 222;
family inet {
address yy.yy.0.1/16;
}
}
The host we want to reach from the public ip xx.xx.10.5/27 is yy.yy.0.110/16
the destination NAT is configured like this:
root@mysrx650# show security nat destination
pool dst_yy_yy_0_110 {
address yy.yy.0.110/32;
}
rule-set zone-untrust-in {
from zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address xx.xx.10.5/32;
}
then {
destination-nat pool dst_yy_yy_0_110;
}
}
}
root@mysrx650# show security nat destination pool dst_yy_yy_0_110
address yy.yy.0.110/32;
of course the host is reachable and also a security policy (incl. address book entry) has been configured:
root@mysrx650# show security policies from-zone untrust to-zone MGMT
policy specific-access {
match {
source-address any;
destination-address specific_host_yy_yy_0_110_32;
application any;
}
then {
permit;
}
}
What could be the problem why we still cant reach the host from management zone from outside?
Thanks and regards,
#destination-nat#NAT