SRX

This is junos 12.1r3

I have a strange problem where static nat from outbound-public to inbound internal works fine.

But the same host going outbound doesnt get the same public ip, instead it always gets the egress interface of the public ip.   The public ip is part of the egress interface in addtion with a /30 to the isp on the external interface.

The outbound source nat on egress gets hit, but not the static.

I know the static is correct since outbound to in works fine. (it is not setup as destination nat)
 (I can ssh to the host from outside, but if i ssh back out, it comes from the egress /30 ip that does peering with isp)

security - nat

        source {
            rule-set outbound-nat {
                description "all outbound nat to egress interface";
                from zone [ db network qa web ];
                to zone untrust-abovenet;
                rule outboundall {
                    description "source outbound nat for all";
                    match {
                        source-address [ 10.1.20.0/23 10.1.80.0/23 10.1.60.0/23 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

static

                rule test-rule {
                    match {
                        destination-address 208.184.xx.xx/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.1.20.216/32;
                            }
                        }
                    }
                }

set security nat source address-persistent

Hello,

SRX static NAT does not work with "destination-address" match.

Please re-configure a static NAT rule with match on "source-address".

This is because static NAT is 1:1 NAT and software needs to know what single source to translate to Your static NAT /32 prefix. 

HTH

Thanks

Alex

Lyndidon:

I tried address-persistent option, It is still behaving the same way.

aarseniev:

I dont follow your source match nat, I understand there is a source nat to a pool of one, I can do that.

But there is no static nat source-match option

kpanchal@srx-cluster# ...set abovenet-nats rule ws-abovenet match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port

I had a jtac case opened, they eventually pin pointed to the problem after getting tier2 support.

For anyone else having the same type of zones/vr like I do.

You must have in your static nat rule specified the proper routing instance of default!

If you specify any other routing instance including the vr it wont work!

If you specify no routing instance it will not work!

Of course each case varies, so in other cases you may need the routing instance your-vr-router;

in my case it was like so

rule test-rule {
                    match {
                        destination-address 208.184.x.x/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                10.1.20.216/32;
                                routing-instance default;
                            }
                        }
                    }
                }

Hope it helps someone in the future.

Thanks much for posting!

I ended up needing to add the routing instance of the interface that the nat was directed to.

ie: reth3.110 was part of the "trust-vr" routing instance

So I ended up setting my nat like:

set security nat static rule-set ISP1-NAT rule 16_X_X_X match destination-address 16.X.X.X/32
set security nat static rule-set ISP1-NAT rule 16_X_X_X then static-nat prefix 172.31.10.18/32
set security nat static rule-set ISP1-NAT rule 16_X_X_X then static-nat prefix routing-instance trust-vr

(hardware is a J6350 running Junos  11.4)