SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  source/destination nat on SRX vs ASA

    Posted 09-15-2015 03:57

    Hi All,

     

    On ASA for hosting my web server i use either of the below configuration:

    Method1:

     

    object network DMZ-Webserver-Internal-IP

    host 192.168.200.1
    nat (DMZ,any) static DMZ-Webserver-External-IP

     

    Method2:

     

    nat (any,DMZ) source static any any destination static DMZ-Webserver-External-IP DMZ-Webserver-Internal-IP

     

    Basically the first one is the source nat which is bidirectional whereas the second one is destination nat it works only if the traffic originates from outside.

     

    Coming to SRX:

     

    I could find the configuration examples for destination nat as below:

    set security nat destination rule-set untrust_vips rule DMZ_Test match destination-address 1.1.1.3/32

    set security nat destination rule-set untrust_vips rule DMZ_Test then destination-nat pool DMZ-Internal-IP

     

    Is there an way in SRX to create the NAT similar to the second method in ASA?

    Correction:

    Is there an way in SRX to create the NAT similar to the first method in ASA?

     

    Thanks for any inputs.

     

    Regards,

    Chandu



  • 2.  RE: source/destination nat on SRX vs ASA
    Best Answer

     
    Posted 09-15-2015 04:08

    hello Chandu ,

     

    This is correct way of doing destination NAT in SRX  ( but its not bi-directional  )  . For bidirectional NAT we need to use static NAT whihc is like one to one destination NAT and does source NAT also .



  • 3.  RE: source/destination nat on SRX vs ASA

    Posted 09-15-2015 04:18

    Thanks for the confirmation Sam.

     

    If possible, could you please provide the steps for the below scenario for a bidirectional static nat.

     

    Regards,

    Chandu



  • 4.  RE: source/destination nat on SRX vs ASA

    Posted 09-15-2015 04:24

    Correction in the Mainpost:

    Is there an way in SRX to create the NAT similar to the first method in ASA?



  • 5.  RE: source/destination nat on SRX vs ASA

     
    Posted 09-15-2015 04:34

    Hello ,

     

    PFA :

     

    set security nat static rule-set untrust_vips rule DMZ_Test match destination-address 1.1.1.3/32
    set security nat static rule-set untrust_vips rule DMZ_Test then static-nat prefix 2.2.2.3/32



  • 6.  RE: source/destination nat on SRX vs ASA

    Posted 09-15-2015 04:32

    Hi Sam,

     

    This article is what i was looking for : (atleast i guess 🙂 )

     

    http://www.juniper.net/documentation/en_US/junos12.2/topics/example/nat-security-static-single-address-translation-configuring.html

     

    But I've a question here:

    1. If the server 192.168.1.200/32 is trying to access internet will the source get translated to 1.1.1.200/32 or not?

     

    Regards,

    Chandu

     



  • 7.  RE: source/destination nat on SRX vs ASA

     
    Posted 09-15-2015 04:35

    Hello Chandu ,

     

    But I've a question here:

    1. If the server 192.168.1.200/32 is trying to access internet will the source get translated to 1.1.1.200/32 or not?

     

    > Yes correct .