SRX Services Gateway
Reply
Visitor
lookingspicy
Posts: 6
Registered: ‎03-19-2012
0

Static Nat Help

i am trying to configure Static nat on SRX 240.

10.2.8.0/24 (trust) ---------10.2.8.1) SRX240 (10.2.4.1/29----------------ex4500-------- 10.2.1.0/29 - 10.2.2.0/29 - 10.2.3.0/29

 

i want to nat all traffice on single IP: 10.2.4.3 whether it is orignated from untrust or trust. is it possible ?? if it is possoble then how...

 

 

i tried to configure like this


set security nat static rule-set static-nat from interface ge-0/0/0.0
set security nat static rule-set static-nat rule static-nat match destination-address 10.2.8.0/24
set security nat static rule-set static-nat rule static-nat then static-nat prefix 10.2.4.3/24
set security nat proxy-arp interface ge-0/0/0.0 address 10.2.8.0/24

 

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-untrust match application any
set security policies from-zone trust to-zone trust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone untrust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone untrust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone untrust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy trust-to-untrust match source-address any
set security policies from-zone untrust to-zone trust policy trust-to-untrust match destination-address any
set security policies from-zone untrust to-zone trust policy trust-to-untrust match application any
set security policies from-zone untrust to-zone trust policy trust-to-untrust then permit

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Static Nat Help

hi,

 

which is the ge-0/0/0 interface ? could you please explain the setup and requirements in detail  ?

 

if you are  looking for hairpinning nat , the following KB19400 should help you .

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Distinguished Expert
Screenie
Posts: 1,083
Registered: ‎01-10-2008
0

Re: Static Nat Help

As far as I can see you want destination nat back into same nerwork where you're comming from. That can work but: the route back is screwing things up. The destination device has a route directly back to the source. So the srx sees the initial syn, but never the syn-ack. The best way to solve such a situation is to also source nat the traffic behind the interface. This way the server "sees"the traffic comming from the firewall and will send return traffic to the firewall.he firewall will then send it back to the original source.

I'm right so should see a session in your traffic log with a lifetime of 20 seconds and close reason age-out. 20 seconds is the default time to wait for a syn-ack when a session is created on a syn.

 

The bad way to solve such a problem is to disable syn-checking. Good for a test, but a very bas idea for a operational firewall.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
lookingspicy
Posts: 6
Registered: ‎03-19-2012
0

Re: Static Nat Help

1- on all firewall interfaces, VRRP is configured. Virtual ip : 10.x.x.3

2- i want to perform static nat as per requirement.

3- if traffic is going through Firewall A then it should out through Firewall B.

4-  between A, B, C and D all traffic should pass through L3 Aggregation

 

 

required : static nat configurations,and how 3rd point can be implemented in this situation. is it possible while doing Static NAT or not.

 

Regards

Usman

 

Visitor
lookingspicy
Posts: 6
Registered: ‎03-19-2012
0

Re: Static Nat Help

still looking for a good solution

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.