SRX Services Gateway
Reply
Visitor
sd65745
Posts: 4
Registered: ‎06-15-2009
0
Accepted Solution

destination nat help

how can i configure destination nat with srx?

The key is that interface's address is dynamic(by pppoe),not static. So can i use interface address to translate the destination addr,how can i configure it?

it is easy for screenos,but not for junos

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: destination nat help

hello

 

i don't have any experiance regarding SRX  but i have found some link

http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understandin...

 

 

CLI configuration SRX NAT destination example

http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/cli-configur...

 

hope that help you

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Visitor
sd65745
Posts: 4
Registered: ‎06-15-2009
0

Re: destination nat help

thanks mehdi,

i think i can configure the destination nat with srx,but there is a problem.

user@host# set security nat destination rule-set rs2 rule r1 match destination-address 1.1.1.1

when i want  tomatch the destioation-address,how can i?because my interface's address is assigned by dhcp,and the syntax does not allow me to match  the interface.

i think there is another way to complete it.

Contributor
Posts: 39
Registered: ‎05-27-2008

Re: destination nat help

Here comes my 50 cent.

 

This is the dst-NAT rule, destination is any:

 

[edit security nat destination]
lab@srx# show
pool trust-192_168_100_2 {
    address 192.168.100.2/32;
}
rule-set on_pp0 {
    from interface pp0.0;
    rule 1 {
        match {
            destination-address 0.0.0.0/0;
            destination-port 80;
        }
        then {
            destination-nat pool trust-192_168_100_2;
        }
    }
}

 

 

This is the policy, include the "drop-untranslated" statement, that prevents you from forwarding unwanted ports

and addresses:

 

 

[edit security policies from-zone untrust to-zone trust]
lab@srx# show
policy on_pp0 {
    match {
        source-address any;
        destination-address 192.168.100.0-24;
        application any;
    }
    then {
        permit {
            destination-address {
                drop-untranslated;
            }
        }
    }
}

The  address-book entry:

 

[edit security zones security-zone trust address-book]
lab@srx# show
address 192.168.100.0-24 192.168.100.0/24;

 

 

That works on my 210 testing device. Thanks for the challenge :-)

 

Regards,

 

Klaus

 

Visitor
sd65745
Posts: 4
Registered: ‎06-15-2009
0

Re: destination nat help

it works! thank you
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.