i'll start by saying i am a JUNOS noob, but fairly proficient in IOS. there is a command called nat-control on the Cisco ASA platform that prevents any permitted packet from traversing the firewall unless the packet also matches a NAT rule. this command is a global command on the ASA. i am trying to determine if there is a similar command(s) that will accomplish the same layered security on the SRX. if there is not a global command to enable "nat-control" within JUNOS, is there something within the security policy context? i saw a permit destination-address drop-untranslated and tried this configuration, but it did not accomplish what I need. i also understand that if you create a source nat from trust to untrust with source 0.0.0.0/0 and destination 0.0.0.0/0, that there should not be anyway of a packet traversing from trust to untrust without IP translation. however, i still would like the firewall to drop any packets trying to traverse from one security zone to another if the packet is not matching a NAT rule.
let me know if i need to be more specific or provide basic configs.
thanks in advance.
____________
CCNP - GCFW
