SRX

Hello All,

I would like to know how to do static destination NAT for inbound traffic on two different tunnel interfaces, destined to multiple public ip's but are to be natted to same private ip.

Pls refer below output:-

admin@SF1_SRX# set security nat static rule-set ABC-MIP from interface st0.1 routing-instance trust-vr

{primary:node0}[edit]

admin@SF1_SRX# set security nat static rule-set ABC-MIP rule MIP match destination-address 203.17.67.62

{primary:node0}[edit]

admin@SF1_SRX# set security nat static rule-set ABC-MIP rule MIP then static-nat prefix 10.10.136.21

{primary:node0}[edit]

admin@SF1_SRX# set security nat proxy-arp interface st0.1 address 203.17.67.62

{primary:node0}[edit]

admin@SF1_SRX#

{primary:node0}[edit]

admin@SF1_SRX#

{primary:node0}[edit]

admin@SF1_SRX# set security nat static rule-set XYZ-MIP from interface st0.3 routing-instance trust-vr

{primary:node0}[edit]

admin@SF1_SRX# set security nat static rule-set XYZ-MIP rule MIP5 match destination-address 203.17.67.28

{primary:node0}[edit]

admin@SF1_SRX# set security nat static rule-set XYZ-MIP rule MIP5 then static-nat prefix 10.10.136.21

{primary:node0}[edit]

admin@SF1_SRX# set security nat proxy-arp interface st0.3 address 203.17.67.28

{primary:node0}[edit]

admin@SF1_SRX#

{primary:node0}[edit]

admin@SF1_SRX#

{primary:node0}[edit]

admin@SF1_SRX# COM

                 ^

unknown command.

admin@SF1_SRX# commit

[edit security nat static]

  'rule-set XYZ-MIP'

    rule-set XYZ-MIP and rule-set ABC-MIP have same context.

error: configuration check-out failed

{primary:node0}[edit]

admin@SF1_SRX#

Pls help !!

Hi Vis_for_good,

We cannot do this as statis NAT is one-to-one mapping. But we can achieve this using seperate Source NAT and Destination NAT rules. Below given is a sample configuration you can try.

root@SRX> show configuration security nat
source {
    pool Pool1 {
        address {
            203.17.67.62/32;
        }
    }
    pool Pool2 {
        address {
            203.17.67.28/32;
        }
    }
    rule-set 1 {
        from zone trust; ----> Zone from whwre trafiic is originated. Please change it as per your config
        to interface st0.1;
        rule One {
            match {
                source-address 10.10.136.21/32;
            }
            then {
                source-nat {
                    pool {
                        Pool1;
                    }
                }                       
            }
        }
    }
    rule-set 2 {
        from zone trust; ----> Zone from whwre trafiic is originated. Please change it as per your config
        to interface st0.3;
        rule Two {
            match {
                source-address 10.10.136.21/32;
            }
            then {
                source-nat {
                    pool {
                        Pool2;
                    }
                }
            }
        }
    }
}
destination {
    pool Pool1 {
        address 10.10.136.21/32;        
    }
    rule-set 1 {
        from routing-instance trust-vr;
        rule 1 {
            match {
                destination-address 203.17.67.28/32;
            }
            then {
                destination-nat {
                    pool {
                        Pool1;
                    }
                }
            }
        }
        rule 2 {
            match {
                destination-address 203.17.67.62/32;
            }
            then {
                destination-nat {
                    pool {
                        Pool1;          
                    }
                }
            }
        }
    }
}

root@SRX> show configuration security nat | display set
set security nat source pool Pool1 address 203.17.67.62/32
set security nat source pool Pool2 address 203.17.67.28/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to interface st0.1
set security nat source rule-set 1 rule One match source-address 10.10.136.21/32
set security nat source rule-set 1 rule One then source-nat pool Pool1
set security nat source rule-set 2 from zone trust
set security nat source rule-set 2 to interface st0.3
set security nat source rule-set 2 rule Two match source-address 10.10.136.21/32
set security nat source rule-set 2 rule Two then source-nat pool Pool2
set security nat destination pool Pool1 address 10.10.136.21/32
set security nat destination rule-set 1 from routing-instance trust-vr
set security nat destination rule-set 1 rule 1 match destination-address 203.17.67.28/32
set security nat destination rule-set 1 rule 1 then destination-nat pool Pool1
set security nat destination rule-set 1 rule 2 match destination-address 203.17.67.62/32
set security nat destination rule-set 1 rule 2 then destination-nat pool Pool1

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks Suraj. I will apply the config and get back to you with result. 🙂

Hi Suraj,

There is a requirement of one more NAT on the same SRX. But when I configure it, i get same context error. Pls refer the configuration applied and the error below:-

set security nat source pool Pool1 address 203.17.67.62/32

set security nat source pool Pool2 address 203.17.67.28/32

set security nat source rule-set 1 from zone VAS_SMS

set security nat source rule-set 1 to interface st0.1

set security nat source rule-set 1 rule One match source-address 10.10.136.21/32

set security nat source rule-set 1 rule One then source-nat pool Pool1

set security nat source rule-set 2 from zone VAS_SMS

set security nat source rule-set 2 to interface st0.3

set security nat source rule-set 2 rule Two match source-address 10.10.136.21/32

set security nat source rule-set 2 rule Two then source-nat pool Pool2

set security nat destination pool Pool1 address 10.10.136.21/32

set security nat destination rule-set 1 from routing-instance trust-vr

set security nat destination rule-set 1 rule 1 match destination-address 203.17.67.28/32

set security nat destination rule-set 1 rule 1 then destination-nat pool Pool1

set security nat destination rule-set 1 rule 2 match destination-address 203.17.67.62/32

set security nat destination rule-set 1 rule 2 then destination-nat pool Pool1

set security nat source pool Pool3 address 203.17.67.72/32

set security nat source pool Pool4 address 203.17.67.38/32

set security nat source rule-set 3 from zone VAS_SMS

set security nat source rule-set 3 to interface st0.1

set security nat source rule-set 3 rule One match source-address 10.10.136.22/32

set security nat source rule-set 3 rule One then source-nat pool Pool3

set security nat source rule-set 4 from zone VAS_SMS

set security nat source rule-set 4 to interface st0.3

 set security nat source rule-set 4 rule Two match source-address 10.10.136.22/32

set security nat source rule-set 4 rule Two then source-nat pool Pool4

set security nat destination pool Pool2 address 10.10.136.22/32

set security nat destination rule-set 2 from routing-instance trust-vr

set security nat destination rule-set 2 rule 1 match destination-address 203.17.67.38/32

set security nat destination rule-set 2 rule 1 then destination-nat pool Pool2

set security nat destination rule-set 2 rule 2 match destination-address 203.17.67.72/32

set security nat destination rule-set 2 rule 2 then destination-nat pool Pool2

{primary:node0}[edit]

admin@HCSF1_SRX# commit check

[edit security nat destination]

  'rule-set 2'

    rule-set 2 and rule-set 1 have same context.

error: configuration check-out failed

{primary:node0}[edit]

admin@HCSF1_SRX#  

Hi Vis_for_good,

This error is expected because rule-set 1 and 2 uses same match condition "from routing-instance trust-vr".

In this case keep only one rule-set, and create multiple rules as I mentioned in my sample configuration.

I have used only one rule-set, but 2 rules are . Sameway create 4 rules under rule-set1 and delete rule-set 2.

destination {
    pool Pool1 {
        address 10.10.136.21/32;        
    }
    rule-set 1 {
        from routing-instance trust-vr;
        rule 1 {
            match {
                destination-address 203.17.67.28/32;
            }
            then {
                destination-nat {
                    pool {
                        Pool1;
                    }
                }
            }
        }
        rule 2 {
            match {
                destination-address 203.17.67.62/32;
            }
            then {
                destination-nat {
                    pool {
                        Pool1;          
                    }
                }
            }
        }
    }
}

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi,

Do we need to configure proxy-arp config for nat as below?

set security nat proxy-arp interface st0.2 address 203.17.67.28/32

set security nat proxy-arp interface st0.2 address 203.17.67.62/32

Thanks !!

Proxy-arp is required only if your st0 interfaces are also on same subnet as 203.17.67.28 and 203.17.67.62.

Thanks,

Suraj