SRX Services Gateway
Reply
Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

nat-control on SRX240 running 9.6R2.11

i'll start by saying i am a JUNOS noob, but fairly proficient in IOS.  there is a command called nat-control on the Cisco ASA platform that prevents any permitted packet from traversing the firewall unless the packet also matches a NAT rule.  this command is a global command on the ASA.  i am trying to determine if there is a similar command(s) that will accomplish the same layered security on the SRX.  if there is not a global command to enable "nat-control" within JUNOS, is there something within the security policy context?  i saw a permit destination-address drop-untranslated and tried this configuration, but it did not accomplish what I need.  i also understand that if you create a source nat from trust to untrust with source 0.0.0.0/0 and destination 0.0.0.0/0, that there should not be anyway of a packet traversing from trust to untrust without IP translation.  however, i still would like the firewall to drop any packets trying to traverse from one security zone to another if the packet is not matching a NAT rule.

 

let me know if i need to be more specific or provide basic configs. 

 

thanks in advance. 

____________
CCNP - GCFW
Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: nat-control on SRX240 running 9.6R2.11

haven't gotten a hit yet, so i thought i would provide a bit more info on what i am trying to accomplish.  below is the scenario i would like help configuring on the Juniper SRX.  I am able to configure this same scenario on a Cisco ASA.

 

Matches Security Policy - Matches NAT Rule - Firewall Action

No                                        No                                Drop packet

Yes                                      No                                 Drop packet

No                                        Yes                               Drop packet

Yes                                      Yes                               Pass packet

 

any assistance with this issue would be appreciated.

 

thanks in advance.

____________
CCNP - GCFW
Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009
0

Re: nat-control on SRX240 running 9.6R2.11

I believe there is an option in the policy to 'drop-untranslated' -- that sounds like it might be what you are looking for

Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: nat-control on SRX240 running 9.6R2.11

thanks for the reply wimclend.  i thought the "drop-untranslated" option under the permit in a security policy would be what i was looking for as well.  however, it is only an option for destination NAT.  i was looking for something that would work with source NAT, destination NAT or static NAT.  i tried using it anyway just to see, but it did not provide the results i need.  i appreciate you replying.

____________
CCNP - GCFW
Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: nat-control on SRX240 running 9.6R2.11

does anyone else know if there is a comparable command in JUNOS to "nat-control" on Cisco ASA?

 

thanks

____________
CCNP - GCFW
Contributor
lightxx
Posts: 17
Registered: ‎08-18-2010
0

Re: nat-control on SRX240 running 9.6R2.11

have you ever found a solution for this?

funny, i come from exactly the same background as you and i miss the exact same feature. :smileyhappy:

Contributor
jodros
Posts: 38
Registered: ‎11-23-2009
0

Re: nat-control on SRX240 running 9.6R2.11

@lightxx -

 

Sorry, I have not replied sooner.  We did not choose the SRX as our corporate firewall, so I do not know if there is newer code that adds this feature.  But at the time of my POC, a suitable "nat-control" feature on the SRX was not available.

 

Thanks

____________
CCNP - GCFW
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.