Hi,

I think you could accomplish this with some Double NAT. 

1. Source NAT From 172.16.10.0/24 ---> Translate to 192.168.10.0/26 range or something in this range.

2. Destination NAT from 192.168.10.0/26 ---> Translate to 192.168.100.1

3. Proxy ARP on the interface exiting to the 192.168.100.1 server for 172.16.10.0/24 range

See the below for example on Page 11:

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

Hello Dear,

The example shown  in above link i did'nt understood can u explore more on that example, Only what  i understood is the below source NAT and i didnt understood destination NAT!!!!

from source NAT:

any source comes to go any destination from trust to untrust should go by the pool specified.

But i have found something on the internet which matches my scenario just confirm to me i m on the right path and my below configs are correct according to the details provided.

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

source {
pool intermediate-net {
address {
192.168.2.0/24
}
port no-translation;
}
rule-set nat-example {
from zone extranet;
to zone internal ;
rule double-nat-source {
match {
source-address 172.16.10.0/24;
}
then {
source-nat pool intermediate-net;

                   }
           }
      }
}
destination {
pool trust-net {
address 192.168.1.1/32;
}
rule-set nat-example {
from zone extranet;
rule double-nat-dest {
match {
destination-address 192.168.100.1/32;
}
then {
destination-nat pool trust-net;
                      }
               }
         }
}

 IF the configs are not correct please write a config for me according to above details of the servers IP's

THANKS

Hopefully something like this below will work:

EXTRANET SUBNETS (THE IP'S WHICH ARE GOING TO ACCESS THE INSIDE SERVERS)
172.16.10.0/24

INSIDE SERVER REAL IP
192.168.1.1/32

SERVER ACCEPTS ONLY THIS SOURCE POOL BECZ CONSTRAINT BY THE APPLICATION
192.168.2.1 TO 192.168.2.254

DESTINATION NAT VIRTUAL IP
192.168,100.1

 

source {
    pool intermediate-net {
        address {
            192.168.2.0/24;
        }
    port no-translation;
    
    }
    rule-set nat-example {
        from zone extranet;
        to zone internal ;
            rule double-nat-source {
                match {
                    source-address 172.16.10.0/24;
                }
                then {
                    source-nat pool intermediate-net;


                   }
           }
      }
}
destination {
    pool trust-net {
        address 192.168.1.1/32;
        }

    rule-set nat-example {
        from zone extranet;
            rule double-nat-dest {
                match {
                    destination-address 192.168.100.1/32;
                }
                then {
                    destination-nat pool trust-net;
                              }
                       }
         }
}

Thanks  Dear,

I will sure do the below, and update the thread.

• But i have some question  that there is no such matching keyword that is calling destination NAT from source NAT for example in Cisco routers the route map is calling the access-list 110, so i m assuming the same with juniper.

access-list 110 permit ip any any

route-map permit external 10

match access-list 110

set ip next-hop 192.168.X.X

• How is the evaluation of  the NATTING in SRX as such with Cisco it checks 1st static and then etc etc, so what is the procedure for evaluating natting in srx if packets arrives the interface.
• In Cisco i have a packet-tracer command to troubleshoot the packet which is failing to get in to firewall or exiting the firewall, it shows me the certain steps that where the packet is failing for example in access-list or in natting, or becz of routing, so any such command in juniper same as cisco packet tracer.

Thanks for ur replies.

The upper solution double NAT  doesn't work, how i can trace the packet , on which step it is drop ????

Can anybody answer to me the above answers.

Hi,

I have modified the config above as I feel It was slightly wrong,  Destination and Static NAT happen before Source.

All the monitoring and translation monitoring you can find here:

"show security flow session match <network-prefix> "is best for viewing NAT and also

"show security nat <source/destination> all  ( this will show you the translation hits)

http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Thanks dear ,

I will apply the configs and update the thread,

But these are the same according to what i have written in my previous mail.And also i wrote by the help of the attached document before.

Tx

The order of NAT PRocessing: Static NAT --> Destination NAT --> Reverse Static NAT --> Source NAT

• 172.16.10.0/24 attempts connection to 192.168.100.1

• We are matching on the Destination Address so traffic is translated toward 192.168.1.1 by Destination NAT

• Next is Source NAT so we are matching on the Source address which is 172.16.10.0/24 and translating this source address to 192.168.2.0/24