SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source Nat to secondary IP

    Posted 11-30-2011 04:12

    Hi all

     

    Does anyone know is SRX can do Source NAT to a secondary IP?

     

    I have a situation where my untrust interface has a private address on it 10.107.0.9/29. Currently the Untrust interface connects directly to an EXTERNAL switch, where all the external routers also connect to. The external routers all have a private address in the /29 range.

     

    The ISP has given us an INTERNET router with a public /29 and wants us to connect the router to the EXTERNAL switch.

     

    My question is, if I load a secondary IP on the untrust interface, can I do Source NAT to the secondary IP for internet access.

     

    My other option is to run VLANS on the untrust interface, but then the ISP's all need to change their routers to the correct VLAN...This could take long......

     

    Other option is to plug the INTERNET router directly into the FW....Problem solved.......But IM not sure the client wants it this way.

     

    Any thoughts on SOURCE NAT to the secondary IP would be appreciated

     

    Scotty!!!!!

     

     

     

     

     

     

     

     

     

     



  • 2.  RE: Source Nat to secondary IP

    Posted 11-30-2011 04:45

    Hi all

     

    i have a SRX210 on my desk......ive upload this config.........my question is ......useing this config, will source NAT use the 41.10.10.x interface to go out to the NET??

     

    root# show |no-more
    ## Last changed: 2011-11-30 20:32:01 UTC
    version 11.1R2.3;
    system {
        root-authentication {
            encrypted-password "$1$vN5ZUdBj$gr/d4BgahDFYn9LEDiF0B."; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.10.10.1/24;
                    address 41.10.10.1/29 {
                        primary;
                        preferred;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 30.30.30.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 41.10.10.2;
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 30.30.30.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                interfaces {
                    ge-0/0/1.0;
                }
            }
            security-zone untrust {
                interfaces {
                    ge-0/0/0.0;
                }
            }
        }
    }

    [edit]
    root#



  • 3.  RE: Source Nat to secondary IP
    Best Answer

    Posted 11-30-2011 06:03

    try nat to pool, not interface.

     

    set security nat source pool LAN address 41.10.10.1/32

    set security nat source rule-set source-nat from zone trust
    set security nat source rule-set source-nat to zone untrust
    set security nat source rule-set source-nat rule r1 match source-address 30.30.30.0/24
    set security nat source rule-set source-nat rule r1 then source-nat pool LAN



  • 4.  RE: Source Nat to secondary IP

    Posted 11-30-2011 10:05

    OK super - ill give it a try