SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Configuring a nonat on SRX?

    Posted 08-14-2013 10:49

    Ok, I'm looking around the forums and doing a web search to try to find a nonat setup for Juniper. Mainly a SRX. Everything I've ran into so far isn't exactly what I'm looking for. I thought I'd post this as I continue to look.

     

    I have external routers and devices that are outside the primary firewall. Currently that's a Cisco ASA. That device has a setup for a nonat access to go to the devices on the outside. Maybe a bit clearer - I have to authenticate the security and network teams to those devices. I do this via Radius. When they are going to log into these devices they do not get NAT'd at all. The external devices are allowing IP blocks (private IP) to talk directly to them from our internal network. So, if you're not in that range of IP's you can't even traverse the firewall to attempt to login. The ASA is setup to not NAT IP's from specific networks when going to one of the external devices.

     

    Is it possible to do this on a SRX? I tried to submit the code on the ASA to the i2j converter but it didn't convert that part of the config. I'll contnue to dig around to find an anwser. If you have an example or a link it would be very helpful!



  • 2.  RE: Configuring a nonat on SRX?
    Best Answer

    Posted 08-14-2013 20:05

    Hi ds1602,

     

    This is pretty simple on the SRX - for NAT exceptions, just add "off" to a specific rule.  Here's an example for source-nat:

     

       nat {
        source {
            rule-set INTERNET-SNAT {
                from zone TRUST;
                to zone INTERNET;
                rule NO-NAT {
                    match {
                        source-address 200.12.34.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            off;                 <---- 
                        }
                    }
                }
                rule INTERNET-TRAFFIC {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {              
                        source-nat {
                            interface;
                        }
                    }
                }
            }

     



  • 3.  RE: Configuring a nonat on SRX?

    Posted 08-15-2013 05:08

    I'll have to put that to test today. Thanks for the quick response!

     

    [added]

    Tested today....works perfectly!