SRX Services Gateway
Reply
Visitor
geo555
Posts: 8
Registered: ‎10-02-2009
0
Accepted Solution

srx 210 with junos 9.6R1.13 static nat problem

Hi guys,

I have the following static nat configuration

        static {
            rule-set inside-to-outside {
                from interface fe-0/0/4.0;
                rule geopc {
                    match {
                        destination-address 192.168.253.4/32;
                    }
                    then {
                        static-nat prefix 10.96.0.153/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/4.0 {
                address {
                    192.168.253.4/32;
                }
            }
        }
 
 
....
       from-zone untrust to-zone trust {
            policy permit_all {
                match {
                    source-address any;
                    destination-address geopc;  //geopc is 10.96.0.153
                    application any;
                }
                then {
                    permit;
                }
            }
fe-0/0/4.0 is my outside interface which is bound to zone untrust and my pc is on the fe-0/0/2.0 interface which is bound to zone trust.
Although my pc has access to the outside world, the reverse is not working.
Do I need to do anything else?
thanks,
george
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008

Re: srx 210 with junos 9.6R1.13 static nat problem

Does the proxy-arp work? Does the the pc where you try the connection on get an arp reply? If so did you try a to trace a session?

 

To set the trace:

 

set security flow traceoptions file my_trace

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter filter1 sourece-prefix <sourip/32> 

 

commit of course

 

To show the trace:

 

Operational mode:

 

show log my_trace

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Recognized Expert
wimclend
Posts: 272
Registered: ‎04-03-2009
0

Re: srx 210 with junos 9.6R1.13 static nat problem

can you try doing 'from zone untrust' instead of 'from interface fe-0/0/4' ?

 

See if that works . . . altho I don't see why it should matter if fe-0/0/4 is bound to untrust and traffic enters on that interface destined for your internal device.

 

 

also -- not sure if what you pasted was your entire from-zone untrust to-zone trust policy list, but if its not, make sure you put that permit_all rule before the default-deny rule

 

 

Will

Visitor
geo555
Posts: 8
Registered: ‎10-02-2009
0

Re: srx 210 with junos 9.6R1.13 static nat problem

actually the configuration is working, i had specified the wrong ip in geopc.

thanks to all who replied

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.