SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 31
Registered: ‎09-12-2014
0 Kudos

Source NAT Tanslation

 

I configured source nat translation and itt's not getting hits. I changed the order of the rules and issue still exist. I have destination NAT configured and it recieved hits. Any tips on troubleshooting the source nat? This translation is on SRX between two servers. 

Distinguished Expert
Posts: 1,015
Registered: ‎08-29-2013
0 Kudos

Re: Source NAT Tanslation

Can you share the "show route" for the source and destination address  and the source NAT rule ?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Contributor
Posts: 31
Registered: ‎09-12-2014
0 Kudos

Re: Source NAT Tanslation

Here is the source nat rule. The ip addresses used are just for example. 

 

 

security {
ike {
respond-bad-spi 1;
}
nat {
source {
pool pool-5 {
address {
10.30.20.10/32 to 10.30.20.10/32;
}
}
pool pool-4 {
address {
10.20.20.7/32 to 10.20.20.7/32;
}
}
rule-set source-nat-1 {
from zone "BLAN";
to zone "ELAN";
rule rule5 {
match {
source-address 10.20.20.1/32;
destination-address 10.20.20.7/32;
}
then {
source-nat {
pool pool-5;
}
}
}
}
rule-set source-nat-2 {
from zone "ELAN";
to zone "BLAN";
rule rule4 {
match {
source-address 10.30.20.1/32;
destination-address 10.30.20.10/32;
}
then {
source-nat {
pool pool-4;
}
}
}
}
}



Source NAT policies

 

from-zone "Banknet_LAN" to "Euronet"

policy 34 {
match {
source-address MI;
destination-address ES;
application TCP/6004;
}
then {
permit;
log {
session-init;




from-zone ELAN to-zone BLAN {
policy 33 {
match {
source-address EA;
destination-address MP;
application TCP/6004;
}
then {
permit;
log {
session-init;


Routes

static {

route 10.20.20.7/32 {
next-hop 10.2.1.1;
preference 20;

}

 

Contributor
Posts: 31
Registered: ‎09-12-2014
0 Kudos

Re: Source NAT Tanslation

 

 

In SSG there is config on the interface:

set interface ethernet0/0 ext ip 10.30.20.10/32 255.255.255.255 dip 5  10.30.20.10 10.30.20.10/32

 

 

In SRX interface:

Do I need to add ip 10.30.20.10/32 as a secondary ip address?

 

 

Highlighted
Distinguished Expert
Posts: 4,762
Registered: ‎03-30-2009
0 Kudos

Re: Source NAT Tanslation

you can do the NAT using the pools without secondary IP.

 

But on the SRX the security policy that permits the traffic and sets up the session is separate from this NAT policy that does the address translation.  make sure you have a corresponding security policy to permit the traffic.

 

Verify that the session is created and permitted using

 

show security flow session source-prefix 10.30.20.1/32

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home