SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Static nat not working

    Posted 10-02-2014 02:36

    Hi,

     

    I'm trying to get static nat working but I'm a bit lost at the moment. The configuration looks simple, but I can't figure out why it isn't working.

     

    The goal is for all outgoing traffic from 10.10.10.10 to get translated and look like it originates at 1.1.1.5.

     

    However, when traffic flows from 10.10.10.10 to internet, it get's source nat'ed to 1.1.1.2 instead. I can't figure out why as I thought static nat took precedence over source nat. Any suggestions?

     

    Relevant configuration:

     

    > show configuration interfaces reth0
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            address 1.1.1.2/26 {
                preferred;
            }
            address 1.1.1.3/26;
            address 1.1.1.4/26;
            address 1.1.1.5/26;
        }
    }
    
    > show configuration security nat source
    rule-set trusted-to-internet {
        from zone trusted;
        to zone internet;
        rule trusted-nat {
            match {
                source-address 10.0.0.0/8;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
    
    > show configuration security nat static
    rule-set static-nat {
        from zone internet;
        rule mtaout {
            match {
                destination-address 10.10.10.10/32;
            }
            then {
                static-nat {
                    prefix {
                        1.1.1.5/32;
                    }
                }
            }
        }
    }
    
    > show configuration security policies from-zone trusted to-zone internet policy srv
    match {
        source-address servers;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
    
    > show configuration security zones security-zone trusted address-book
    address servers 10.10.10.0/24;

     



  • 2.  RE: Static nat not working

    Posted 10-02-2014 04:26

     Hi,

    try this:

     

     

    > show configuration security nat source
    rule-set trusted-to-internet {
        from zone trusted;
        to zone internet;
        rule trusted-nat {
            match {
                source-address 10.0.0.0/8;
                destination-address 0.0.0.0/0;
            }
            then {
                static-nat {
                    prefix {
                        1.1.1.5/32;
                    }
                }
            }
    }
    }

     

    And you should also delete security nat static rule-set static-nat

     

     

     

    --
    Click the star for kudos if you think I earned it.
    If this post solves your problem, please mark this post as "Accepted Solution".



  • 3.  RE: Static nat not working

    Posted 10-02-2014 04:34

    Hi,

     

    Thanks for your reply.

     

    However, your solution doesn't look correct to me. Won't that make everything in 10.0.0.0/8 look like it comes from 1.1.1.5?

     

    The point is that everything in 10.0.0.0/8 except 10.10.10.10 should translate into 1.1.1.2. Only 10.10.10.10 should get translated into 1.1.1.5.



  • 4.  RE: Static nat not working

    Posted 10-02-2014 04:44

    Btw, static-nat as shown in your example isn't a valid configuration syntax. Only source-nat is possible. I tested on 12.1X44-D35.5.



  • 5.  RE: Static nat not working
    Best Answer

    Posted 10-02-2014 05:24

    in the original config (first post) static-nat should look like this

     

    > show configuration security nat static
    rule-set static-nat {
        from zone internet;
        rule mtaout {
            match {
                destination-address 1.1.1.5/32;
            }
            then {
                static-nat {
                    prefix {
                        10.10.10.10/32;
                    }
                }
            }
        }
    }


  • 6.  RE: Static nat not working

    Posted 10-02-2014 05:46

    Ah... Thanks. It works now. 🙂