11-23-2009 01:46 PM
i'll start by saying i am a JUNOS noob, but fairly proficient in IOS. there is a command called nat-control on the Cisco ASA platform that prevents any permitted packet from traversing the firewall unless the packet also matches a NAT rule. this command is a global command on the ASA. i am trying to determine if there is a similar command(s) that will accomplish the same layered security on the SRX. if there is not a global command to enable "nat-control" within JUNOS, is there something within the security policy context? i saw a permit destination-address drop-untranslated and tried this configuration, but it did not accomplish what I need. i also understand that if you create a source nat from trust to untrust with source 0.0.0.0/0 and destination 0.0.0.0/0, that there should not be anyway of a packet traversing from trust to untrust without IP translation. however, i still would like the firewall to drop any packets trying to traverse from one security zone to another if the packet is not matching a NAT rule.
let me know if i need to be more specific or provide basic configs.
thanks in advance.
11-24-2009 07:24 AM
haven't gotten a hit yet, so i thought i would provide a bit more info on what i am trying to accomplish. below is the scenario i would like help configuring on the Juniper SRX. I am able to configure this same scenario on a Cisco ASA.
Matches Security Policy - Matches NAT Rule - Firewall Action
No No Drop packet
Yes No Drop packet
No Yes Drop packet
any assistance with this issue would be appreciated.
thanks in advance.
11-25-2009 05:04 AM
thanks for the reply wimclend. i thought the "drop-untranslated" option under the permit in a security policy would be what i was looking for as well. however, it is only an option for destination NAT. i was looking for something that would work with source NAT, destination NAT or static NAT. i tried using it anyway just to see, but it did not provide the results i need. i appreciate you replying.
04-21-2011 06:33 AM
Sorry, I have not replied sooner. We did not choose the SRX as our corporate firewall, so I do not know if there is newer code that adds this feature. But at the time of my POC, a suitable "nat-control" feature on the SRX was not available.