SRX Services Gateway
SRX Services Gateway

How to setup NAT or MIP on SRX series

07.01.10   |  
‎07-01-2010 03:29 AM

Dear all,


I am the new member on this forum anyway, and so far i tried to learned how to configure it from basic.

Here i would like to show the current situation below:



We bought a old Juniper NS5GT from Juniper 5 years ago.  This week we bought a Juniper SRX100 to replace the NS5GT.
We have a dedicated line 512kbps symmetrical provided by a local ISP and given 5 public addresses. Presently we are using the old Juniper NS5GT FireWall but it is going to be replaced by a new Juniper SRX100.
We want to configure the new Juniper SRX100 to perform the same tasks as the old Juniper NS5GT but found out that we cannot just copy the config file from old to new because the OS is different -  the old is Netscreen, the new is JunOS.
We have configured the SRX100 following your Juniper tutorial but have encountered a problem with MIP while testing it online - mapping the private address of our servers  to their respective public address does not work.   Attached is the SRX100 config file which we have started with a basic config file trying to map our ftp server (private address 172.17.196) to the public address (  Attached is also the old NS5GT config file.   The FTP Server is connected at fe-0/0/3.0 on the trusted  VLAN. of the SRX100. The public address of the SRX100 is which is configured at fe-0/0/0.0.   Static NAT and proxy ARP have been done for the ftp server as can be seen in the config file.   The ftp server can connect to the internet from the trusted zone but the outside world cannot access the ftp server using whereby is the name for the public address    When we ping from the outside it seems to be alive but it is virtual because of the proxy ARP but we cannot ftp or telnet or remote desktop to the ftp server from the outside.
We have also 2 other servers (exchange server and bandwidthcontroller) to be MIP'ed but we need to get one server to work first before continuing with the other two.
Further Info:
SRX100 public address= configured on fe-0/0/0.0
DNS Servers=,
Next Hop=
VLAN address is (members fe-0/0/1 to fe-0/0/7 inclusive)
Ftp Server is connected at fe-0/0/3.0  Its private address is and its public address to be mapped is
Issue:   MIP (or Static NAT) is not working.   connection is good from trusted to untrusted zone but connection is not possible from outside to inside.
we need to map
exchange server  ------>
ftp server    ------->
bwcontroller ------->
Please give any advise how to get the MIP (Static NAT) to work so that we can access the ftp server from the untrusted zone?
Sincerely Yours,


SRX Services Gateway

Re: How to setup NAT or MIP on SRX series

07.01.10   |  
‎07-01-2010 07:14 AM

Hi Bayu,


I've already accessed your ftp server it seem well configured, It prompted me the user name and password.


Try to see the logs and NAT statistics to make sure the traffic is forwarded to your server.


Thanks and Regards,




SRX Services Gateway

Re: How to setup NAT or MIP on SRX series

07.01.10   |  
‎07-01-2010 08:57 AM

Config posted? 


I'd be more then happy to look at it, just the kind of fruit I can pick if you know what I mean Smiley Wink


It does look like your FTP server is responding to internet requests though as mentioned above, perhaps upstream arp resolution was holding you down since you external addresses changed to that of your external interface when you went to the SRX?

SRX Services Gateway

Re: How to setup NAT or MIP on SRX series

[ Edited ]
07.01.10   |  
‎07-01-2010 08:01 PM

Dear Husni,


The that you accessed was the old config from our Netscreen Juniper, yes those was working fine.


The issues is when i force the old config to my newer Juniper (SRX-100H) is totally won't work at all.

Here is the new config on my attached file below.


Please give me more advices from the expert....Smiley Happy