SRX Services Gateway
SRX Services Gateway

Lan1 to Lan2 Nat config

‎10-25-2017 07:17 AM

Hi

I have 2 interfaces setup ge-0/0/1 is where most of my network servers are. I need when some devices go from ge-0/0/1  to ge-0/0/2 they appear to be coming from a 10.1.1.0 address. I also need when devices on ge-0/0/2 communicate to specific 10.1.1.x addresses that its sent to  ge-0/0/1 and to a 192.168.1.x device.

 

Interface ge-0/0/1 = 192.168.1.0/24 inside_lan

Server A = 192.168.1.100    alias to be set on srx = 10.1.1.220

Server B = 192.168.1.101    alias to be set on srx = 10.1.1.221

 

Interface ge-0/0/2 = 10.1.1.0/24 inside_lan2

Server C = 10.1.1.200

Server D = 10.1.1.201

 

So if Server A sent traffic to Server C, I would want a flow like:

192.168.1.100 on ge-0/0/1 > Translate 192.168.1.100 to 10.1.1.220> ge-0/0/2 > 10.1.1.200

 

Server C would beleive that it was receiving traffic off 10.1.1.220. So the reverse would also need to be in place for when Server C trys to contact server A.

10.1.1.200 ge-0/0/2 > Translate 10.1.1.220 to 192.168.1.100 > ge-0/0/1 > 192.168.1.100

 

I think this can be done all in NAT rules something like the below?

nat {static {

rule-set inside_lan2 {
from zone inside_lan2;
rule 1 {
description SIP1;
match {
destination-address 10.1.1.220/32;}
then {
static-nat {
prefix {
192.168.1.100/32;}}}}

 

 

As for the policy I currently have the below policy but I think I need to put zone inside_lan2 in here as well?:

policy inside-zone-outbound {
match {
source-address any;
destination-address any;
application any;
from-zone inside_lan;
}
then {permit;}}

 

Please be gentle I'm a newbie!

8 REPLIES 8
SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-25-2017 10:17 PM

Hi,

You have to configure proxy-arp for the IP 10.1.1.220/32 and regarding policy, If you need bi-directional traffic flow, you have to create two policy: one from Inside_Lan to Inside_Lan2 and second one from Inside_Lan2 to Inside_Lan.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 01:16 AM

So this and..

[edit security nat proxy-arp]
interface reth3.0 {
address {
10.1.1.0/24;}}

 

and this?

 

policy inside2-zone-outbound {
match {
source-address any;
destination-address any;
application any;
from-zone inside_lan2;
}
then {permit;}}

 

 

SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 01:44 AM

Hi,

 

There is no need to configure proxy-arp for entire /24 network. Enable it only for the natted IP 10.1.1.220/32.

I hope you are using global policy. If yes, one policy is enough and in that policy you can match both zones (Inside_Lan and Inside_Lan2)

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 02:22 AM

Ok,

 

So this would be ok policy wise?

 

policy inside2-zone-outbound {
match {
source-address any;
destination-address any;
application any;
from-zone [ inside_lan inside_lan2 ];
}
then {permit;}}

SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 02:29 AM

yes!

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 06:15 AM

Excellent it works! In regards to the proxy-arp if I want more servers in there do I need to add individually like below?:

 

interface reth3.0 {
address {
10.1.1.220/32;

10.1.1.221/32;
}
}

SRX Services Gateway
Solution
Accepted by topic author VOIPBunny
‎10-26-2017 06:32 AM

Re: Lan1 to Lan2 Nat config

‎10-26-2017 06:29 AM

Hi,

There are two methods to configure proxy-arp:

First method is just like you mentioned; configure proxy arp for each address

Second method, if the address are contiguous, address range can be used:

set security nat proxy-arp interface reth3.0 address 10.1.1.220/32 to 10.1.1.225/32

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Lan1 to Lan2 Nat config

‎10-26-2017 06:32 AM

Thanks!