Screen OS

Hello,

My SSG NAT is working while running with screen OS 6.2.x .  However, I no idea after upgraded to 6.3.  Could you please advise what happen?  and try to trace where is problem

I have reference to manual

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AddressTranslation.pdf

Background:

My background is private IP range (192.168.20.x) running with VLAN 20.  It will using NAT method to access Internet.   There are no need to NAT from external to internal.   There will be only one External IP in untrust zone.

-- Implement ---

NAT-Src method will will used from the Egress Interface IP address (Example NAT-src without DIP) showing in P27

----Here is setup of interface and NAT----

# interface (trust)

set interface "ethernet0/3.20" tag 20 zone "INT--NAT"

set interface ethernet0/3.20 ip 192.168.20.1/24
set interface ethernet0/3.20 nat

# Interface (untrust)

set interface "ethernet0/2" zone "Untrust2-zone"

set interface ethernet0/2 ip 202.136.237.241/29
set interface ethernet0/2 route

# Policy

set policy id 197 from "INT-NAT" to "Untrust2-zone"  "192.168.20.41 - pc01" "Any" "ANY" nat src permit

set src-address "192.168.20.42 - pc02"
set policy id 197

Even now the private IP range (192.168.20.x) also not able to ping test others trust zone.  Prevsiouly there are no any policy setup from zone INT-NAT to other trust zone.

Thanks in advise.

You nat policy is setup for only two pc addresses and not the whole subnet.

The interface nat option will only work if you have default zone names of trust and untrust.  Since your zones are custom names the nat option on the interface will not kick in

set interface ethernet0/3.20 nat

You need to remove the two PC addresses from the nat policy and make it the subnet instead.

For traffic within the zone "INT--NAT", make sure the option to block intrazone traffic is turned off.

But if you are having traffic between zone "INT--NAT" and another internal custom trust zone that will require a policy.