SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  static source nat ?

    Posted 01-23-2012 14:32

    How can i do static source nat using the [edit security nat static ]  sub-config mode ?

     

    I see that the only matching condition for static nat would be 'destination-address'  , and i understand that this rule is used for destination nat with connection initiated from outside (untrust ) zone.

     

    further more , with a static destination nat , would i still be able to initiate traffic from inside although no traffic has yet been started from outside to create the reverse static source nat entry in the nat table ???

     

    Thanks in advance , 

     

     



  • 2.  RE: static source nat ?

    Posted 01-23-2012 14:49

    Hi

     

    Static NAT is bidirectionaly means source and destination NAT. If you configure like, from untrust zone if traffic comes to a public IP then it should be translated to a private IP (Destination NAT). Then If traffic is initiated from the private IP address to go outside then it will automatically takes that public IP (Source NAT), just you have to make the properly firewall policy for that private IP address from Trust to Untrust.

     

    HTH



  • 3.  RE: static source nat ?

    Posted 01-23-2012 14:51

    Thanks for your reply.

     

    what about source nat with address shifting ? i see it's also a one to one mapping of private/public ips ? would that be another solution ?



  • 4.  RE: static source nat ?

    Posted 01-23-2012 15:50
      |   view attached

    I belive there has been a confusion here ......

     

    PLEASE check the attached snapshot i caught from Juniper JNCIS-SEC fast track program.

     

    traffic initiated from the private ip address would not be automatically translated with a destination static nat rule , it's only for the return flow of a session ??



  • 5.  RE: static source nat ?

    Posted 01-24-2012 04:31

    Hi

     

    I believe if you configure the static nat, it is bidirectional.



  • 6.  RE: static source nat ?

    Posted 01-24-2012 06:55

    Static is bidirectional as stated above.

    It is a bit confusing but the context and using a destination address is different from the concept of destination-nat. There's more to it but think of destination-nat as a unidirectional static mapping, with a lot of extra policy based options for things like port-mapping etc. It's usually used for public services, or more generically what we'd think of as untrust->trust but that's not actually a limitation (or requirement), just where it's strengths tend to shine.



  • 7.  RE: static source nat ?
    Best Answer

    Posted 01-24-2012 07:16

    Hi

     

    Just to make sure, the traffic from private IP takes which public IP address. From the private IP machine, initiate some traffic for internet like ping -t 4.2.2.2. Now on the firewall, run the below command to see which Public IP, this private IP is taking.

     

    show security flow session source-prefix <Private IP>

     

    HTH



  • 8.  RE: static source nat ?

    Posted 01-24-2012 08:03

    Thank you guys 🙂