1. Destination NAT same IP address facing the Internet.
PC:80 (web service) -------- SRX:80 (IP: x.x.x.x) ---------the Internet
I have PC and SRX also turn on service port 80, after that, I operate destination from
untrust zone with IP x.x.x.x which is the IP on SRX facing the Internet destination NAT
to PC's address.
What's happen when I type https://x.x.x.x on a web browser? I think it will access
PC:80 instead of SRX:80. Anyone verify this for me?
No, when you use https: the port becomes 443 by default not 80 in a web browser.
So the traffic will no longer hit your destination NAT rule.
If you have the web service enabled on the SRX on http you will need to move it to a custom port before you can use destination NAT to forward 80 on the SRX address as well. You cannot have the same port on a single address sent to two devices.
2. Destination NAT range pool to range destination NAT IP
PC1, PC2, PC3 ---------- SRX --------- the Internet
I have destination NAT pool is y.y.y.y/29 (present PC1, PC2, PC3) and destination NAT IP is x.x.x.x/29. When I do destination NAT from untrust zone with x.x.x.x/29 to pool y.y.y.y/29. What's happening to go on?
Having some situations going on but I don't know which is true
a. I ping test x.x.x.1 it's mapping to PC1, x.x.x2 mapping to PC2 etc...
b. I ping test x.x.x.x it's also mapping to PC1.
c. I ping test x.x.x.1 it's random mapping to y.y.y.y/29
A - Destination NAT on a range passes block to block.
https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-destination-understanding.html
Destination NAT allows connections to be initiated only for incoming network connections—for example, from the Internet to a private network. Destination NAT is commonly used to perform the following actions:
- Translate a single IP address to another address (for example, to allow a device on the Internet to connect to a host on a private network).
- Translate a contiguous block of addresses to another block of addresses of the same size (for example, to allow access to a group of servers).
- Translate a destination IP address and port to another destination IP address and port (for example, to allow access to multiple services using the same IP address but different ports).