SRX Services Gateway
Reply
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0
Accepted Solution

static nat in both directions?

Hi,

 

Configuring SRX240H w/ 9.6R1.13

 

If I have a static nat entry configured from zone internet to zone private that translates destination 8.8.8.8 to private zone 10.0.0.8, will that automatically also set the source IP of traffic from 10.0.0.8 to 8.8.8.8 when passing in the opposite direction?  I don't mean the return traffic on established inbound flows/sessions, I mean new outbound sessions/flows destined to anything in the internet zone.

 

If not, is there an easy way to make that happen, instead of configuring duplicate reverse-direction static nat entries?

 

Thanks.

 

 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: static nat in both directions?

Static NAT is bi-directional. That means that it will source-nat for 10.0.0.8 to 8.8.8.8 as well regardless of which direction initiates the session.

 

-Richard

Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0

Re: static nat in both directions?

Thanks Richard.

 

Do you happen to know if the DNS ALG will also translate DNS replies against static nat entries as well?

 

ex:  10.0.0.7 does a query against an internet dns server, and the reply is 8.8.8.8, will the ALG automatically change that to 10.0.0.8 when it forwards the reply on to 10.0.0.7

 

IOS static nat does this...

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: static nat in both directions?

No, there is no nat translation for DNS payload. So if the response says 8.8.8.8, this is what the client will receive.

 

-Richard

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: static nat in both directions?

What about using Destination nat.... is there a way to do reverse NAT with destination NAT ??

 

IE:

 

I have 2  ISP and i configure destination NAT like this:

 

20.20.20.20 port 80  to   10.10.10.10 port 80

30.30.30.30 port  80 to 10.10.10.10 port 80

 

I want that the traffic incoming from the 20.20.20.20 port 80 goes out to this IP interface, the same for the traffic incoming from 30.30.30.30 port 80

LT
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: static nat in both directions?

Reply for traffic coming in from one ISP should match existing session and not need to perform another route lookup. So this should work. If this is not working as expected, then I would suggest enabling flow traceoptions to see how the SRX is handling the traffic.

 

-Richard

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: static nat in both directions?

Even if i configured Destination NAT ?? it isn't working this way in my case.

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-with-differentes-ISP-on-SRX-240/td...

LT
Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: static nat in both directions?

I solve my problem already... , the problem was that the interfases were configured in different zones and when it  was trying to return the package back i received a "zone missmatch error(i saw it in the a flowtrace file". This is something that doesn't happen on the SSG (almost sure).

 

my flowtrace file:

 

Dec 15 18:46:13 18:46:12.987602:CID-1:RT:  route lookup: dest-ip orig ifp reth2.0 output_ifp reth1.0 orig-zone 10 out-zone 9 vsd 2
Dec 15 18:46:13 18:46:12.987602:CID-1:RT:

Reject route in make_nsp_ready_no_resolve. zone mismatch

The traffic was not returning through the incoming interface.

resource: http://kb.juniper.net/index?page=content&id=KB15545&smlogin=true

 

Regards,

 

Layard

LT
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.