SRX

Hi

It seem that static nat isn't bidirectional when set up between virtual routers on the SRX. Incoming NAT works as expected, but outgoing nat doesn't happen when the natted host is inside the VR. The result is that the host is reachable from the outside, but isn't able to initiate outbound connections, unless a source nat is set up.

I have a simple lab setup:

My untrust zone is in the master instance.

My trust zone is in a separate instance

All routes is leaked between between the master and trust instance

From untrust I have a static nat:

rsh@srx-kas-01> show configuration security nat static                   
rule-set halloej {
    from zone untrust;
    rule testeting {
        match {
            destination-address 123.123.49.116/32;
        }
        then {
            static-nat {
                prefix {
                    172.22.30.10/32;
                }
            }
        }
    }
}

172.22.30.10 lives inside my VR, but isn't translated for outgoing traffic.

Source nat from the VR works just fine, but this shouldn't be needed, as static NAT is supposed to override all other types of NAT.

Behaviour is the same in both 12.1X46-D20.5 and 11.4R9.4

Is this a limitation, it a bug, or just me doing something wrong?

/Ralf

Hello ,

Can you try giving  "routing-instance Virtual-Router" in the static NAT rule :

rsh@srx-kas-01> show configuration security nat static                   
rule-set halloej {
    from zone untrust;
    rule testeting {
        match {
            destination-address 123.123.49.116/32;
        }
        then {
            static-nat {
                prefix {
                    172.22.30.10/32 routing-instance VR; 
                }
            }
        }
    }
}

Thanks,

That did the trick