Screen OS

Hello!

Anybody can to explain how to accept SCREENOS  Nat (dip in different subnet) to JUNOS.

for example,in ScreenOS:

set interface ethernet1/1 ext ip 221.119.248.1 255.255.252.0 dip 8 221.119.251.0 221.119.251.254 fix-port

For Junos:  ???

Until, it has just dawned upon me, that I need in junos source nat , where 221.119.251.0 221.119.251.254 is source nat pool .

For what reason here ext ip 221.119.248.1 255.255.252.0 (how to apply to Junos)

The DIP is replaced by a nat pool.  The translation itself no longer occurs with the security policy but as a separate nat rule.

Nat examples

http://kb.juniper.net/InfoCenter/index?page=content&id=TN81

Page 4 you would create the pool

Page 6 you create the rule for use of the pool in source nat

Remember that you do need a security policy that permits the specific traffic in addition to the nat rule.  But they are no longer the same rule.

Steve,

I have understood,

that:

-nat rule and security policy should be create separatly;

-here source nat with pool ( 221.119.251.0 221.119.251.254 )

set interface ethernet1/1 ext ip 221.119.248.1 255.255.252.0 dip 8 221.119.251.0 221.119.251.254 fix-port

And what about this ip address 221.119.248.1 255.255.252.0. ( External ip for interface ethernet1/1 , secondary ip) ?

For Junos, this entry  what means?

Nat Pool

set pool src-nat-pool-1 address 221.119.251.0 221.119.251.254

 Nat Rule

[edit security nat source]
set rule-set rs1 from zone trust
set rule-set rs1 to zone untrust
set rule-set rs1 rule r1 match source-address 0.0.0.0/0
set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set rule-set rs1 rule r1 then source-nat src-nat-pool-1

 Substitute a specific ip address range for the source-address if the translation is limited to only certain subnet in the trust zone.  This rule will apply to all adress from the trust zone to the untrust zone.

Security policy

[edit security policies from-zone trust to-zone untrust]
set policy internet-access match source-address any destination-address any application any
set policy internet-access then permit

 Substitute specific addresses and ports in both the trust and untrust zones as needed.  This rule permits all traffic ip addresses on any port.

If you address pool were in the SAME subnet as the external interface you would also need to add proxy arp.  But you specify here that the address pool is an extended range.  Naturally, the routing for this subnet must sent the traffic to the SRX or the return traffic for the nat address will never hit the SRX.

Since your ScreenOS has this as a secondary ip address, you will need to add this ip address to your SRX interface to duplicate the configuration.  With SRX you are not limited to just two addresses but can have more.

Add the keyword "primary" to the first address.

In this case you will need to add the proxy arp statement since the subnet is configured as a secondary ip address on the interface.

Clear! Thank you a lot !