SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  destination nat help

    Posted 10-28-2009 02:24

    how can i configure destination nat with srx?

    The key is that interface's address is dynamic(by pppoe),not static. So can i use interface address to translate the destination addr,how can i configure it?

    it is easy for screenos,but not for junos


    #d
    #NAT


  • 2.  RE: destination nat help



  • 3.  RE: destination nat help

    Posted 10-28-2009 22:23

    thanks mehdi,

    i think i can configure the destination nat with srx,but there is a problem.

    user@host# set security nat destination rule-set rs2 rule r1 match destination-address 1.1.1.1

    when i want  tomatch the destioation-address,how can i?because my interface's address is assigned by dhcp,and the syntax does not allow me to match  the interface.

    i think there is another way to complete it.



  • 4.  RE: destination nat help
    Best Answer

    Posted 10-29-2009 07:37

    Here comes my 50 cent.

     

    This is the dst-NAT rule, destination is any:

     

    [edit security nat destination]
    lab@srx# show
    pool trust-192_168_100_2 {
        address 192.168.100.2/32;
    }
    rule-set on_pp0 {
        from interface pp0.0;
        rule 1 {
            match {
                destination-address 0.0.0.0/0;
                destination-port 80;
            }
            then {
                destination-nat pool trust-192_168_100_2;
            }
        }
    }
    
    

     

     

    This is the policy, include the "drop-untranslated" statement, that prevents you from forwarding unwanted ports

    and addresses:

     

     

    [edit security policies from-zone untrust to-zone trust]
    lab@srx# show
    policy on_pp0 {
        match {
            source-address any;
            destination-address 192.168.100.0-24;
            application any;
        }
        then {
            permit {
                destination-address {
                    drop-untranslated;
                }
            }
        }
    }

    The  address-book entry:

     

    [edit security zones security-zone trust address-book]
    lab@srx# show
    address 192.168.100.0-24 192.168.100.0/24;

     

     

    That works on my 210 testing device. Thanks for the challenge 🙂

     

    Regards,

     

    Klaus

     



  • 5.  RE: destination nat help

    Posted 11-04-2009 21:05
    it works! thank you