10-10-2009 12:37 AM
Configuring SRX240H w/ 9.6R1.13
If I have a static nat entry configured from zone internet to zone private that translates destination 22.214.171.124 to private zone 10.0.0.8, will that automatically also set the source IP of traffic from 10.0.0.8 to 126.96.36.199 when passing in the opposite direction? I don't mean the return traffic on established inbound flows/sessions, I mean new outbound sessions/flows destined to anything in the internet zone.
If not, is there an easy way to make that happen, instead of configuring duplicate reverse-direction static nat entries?
Solved! Go to Solution.
10-11-2009 07:10 PM
Do you happen to know if the DNS ALG will also translate DNS replies against static nat entries as well?
ex: 10.0.0.7 does a query against an internet dns server, and the reply is 188.8.131.52, will the ALG automatically change that to 10.0.0.8 when it forwards the reply on to 10.0.0.7
IOS static nat does this...
12-09-2009 10:32 PM
What about using Destination nat.... is there a way to do reverse NAT with destination NAT ??
I have 2 ISP and i configure destination NAT like this:
184.108.40.206 port 80 to 10.10.10.10 port 80
220.127.116.11 port 80 to 10.10.10.10 port 80
I want that the traffic incoming from the 18.104.22.168 port 80 goes out to this IP interface, the same for the traffic incoming from 22.214.171.124 port 80
12-10-2009 08:29 PM
Reply for traffic coming in from one ISP should match existing session and not need to perform another route lookup. So this should work. If this is not working as expected, then I would suggest enabling flow traceoptions to see how the SRX is handling the traffic.
12-12-2009 07:32 PM
Even if i configured Destination NAT ?? it isn't working this way in my case.
12-18-2009 05:37 AM
I solve my problem already... , the problem was that the interfases were configured in different zones and when it was trying to return the package back i received a "zone missmatch error(i saw it in the a flowtrace file". This is something that doesn't happen on the SSG (almost sure).
my flowtrace file:
Dec 15 18:46:13 18:46:12.987602:CID-1:RT: route lookup: dest-ip orig ifp reth2.0 output_ifp reth1.0 orig-zone 10 out-zone 9 vsd 2
Dec 15 18:46:13 18:46:12.987602:CID-1:RT:
The traffic was not returning through the incoming interface.