SRX Services Gateway
SRX Services Gateway

NAT Configuration Question

‎06-10-2019 05:58 AM
Hi, I have an SRX 1400 cluster and I can't find any config snip to perform the following NAT. I have an internal machine on 10.10.12.50 (TRUST) and I want to source NAT this to 195.24.23.19 (UNTRUST) for TRUST->UNTRUST. I also can't update the source or destination ports. Traffic also needs to be able to come back uninitiated from ANY external address to 195.24.23.19 and be translated to 10.10.12.50 and again the ports can't be modified. I don't think that a standard STATIC would work because it's any destination so I don't know if a combination of both source and destination NATs would work? If anyone has done this before I would appreciate any working examples. Inside IP: 10.10.12.50 Outside NAT IP: 195.24.23.19 Destination: ANY Traffic direction: Bi-directional initiation Cheers
4 REPLIES 4
SRX Services Gateway

Re: NAT Configuration Question

‎06-10-2019 06:09 AM
Hi Merlo, My understanding is that you do not want the ports to translate for the bi-directional traffic but only the IP's to translate such as: Source IP 10.10.12.50 (TRUST) to translate to 195.24.23.19 (UNTRUST) for TRUST->UNTRUST when traffic initiated from 10.10.12.50 to ANY destination. Also when traffic initiated from any Random Source in Untrust to 195.24.23.19 (UNTRUST) to be translated to Source IP 10.10.12.50(TRUST) without any port translation. If the above is the requirement, a STATIC NAT perfectly works. A combination of SRC NAT and DST NAT is also possible at the same time. Let me know if my understanding is correct. Otherwise, request you to correct me. Regards, Pradeep.
SRX Services Gateway

Re: NAT Configuration Question

‎06-10-2019 06:10 AM
Hi Merlo, My understanding is that you do not want the ports to translate for the bi-directional traffic but only the IP's to translate such as: Source IP 10.10.12.50 (TRUST) to translate to 195.24.23.19 (UNTRUST) for TRUST->UNTRUST when traffic initiated from 10.10.12.50 to ANY destination. Also when traffic initiated from any Random Source in Untrust to 195.24.23.19 (UNTRUST) to be translated to Source IP 10.10.12.50(TRUST) without any port translation. If the above is the requirement, a STATIC NAT perfectly works. A combination of SRC NAT and DST NAT is also possible at the same time. Let me know if my understanding is correct. Otherwise, request you to correct me. Regards, Pradeep.
SRX Services Gateway

Re: NAT Configuration Question

‎06-10-2019 06:19 AM
You may use following configuration: set security nat static rule-set TEST from zone UNTRUST set security nat static rule-set TEST rule one match destination-address 195.24.23.19/32 set security nat static rule-set TEST rule one then static-nat prefix 10.10.12.50/32 Please refer page no. 13 of this NAT configuration guide for complete configuration: https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: NAT Configuration Question

‎06-10-2019 09:14 AM

Hello Merlo,

 

Your requirement sounds like classic STATIC NAT. Correct me if I missed something here.

 

Possible Topology: -

 10.10.12.50 --------- (TRUST) SRX (UNTRUST) ----------- INTERNET.

 

Requirement: -

1. While going out to Internet via Untrust zone, 10.10.12.50 should always use 195.24.23.19. No ports to be changed.

2. If anyone from INTERNET wants to reach out to 10.10.12.50 , they should try to reach 195.24.23.19. Again, no ports to be changed.

 

Solution: -

 

set security nat static rule-set ONE from zone Untrust

set security nat static rule-set ONE rule 1 match destination-address 195.24.23.19/32

set security nat static rule-set ONE rule 1 then static-nat prefix 10.10.12.50/32

 

Since the static NAT is a special case of Destination NAT, it is writtten in the incoming direction. Therefore, above configuration will also take care of the traffic initiated from 10.10.12.50 towards Untrust zone.

 

Hopefully this helps!