Hi
It seem that static nat isn't bidirectional when set up between virtual routers on the SRX. Incoming NAT works as expected, but outgoing nat doesn't happen when the natted host is inside the VR. The result is that the host is reachable from the outside, but isn't able to initiate outbound connections, unless a source nat is set up.
I have a simple lab setup:
My untrust zone is in the master instance.
My trust zone is in a separate instance
All routes is leaked between between the master and trust instance
From untrust I have a static nat:
rsh@srx-kas-01> show configuration security nat static
rule-set halloej {
from zone untrust;
rule testeting {
match {
destination-address 123.123.49.116/32;
}
then {
static-nat {
prefix {
172.22.30.10/32;
}
}
}
}
}
172.22.30.10 lives inside my VR, but isn't translated for outgoing traffic.
Source nat from the VR works just fine, but this shouldn't be needed, as static NAT is supposed to override all other types of NAT.
Behaviour is the same in both 12.1X46-D20.5 and 11.4R9.4
Is this a limitation, it a bug, or just me doing something wrong?
/Ralf