SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NAT before route

    Posted 06-07-2018 03:02

    I have an SRX240 which is acting as a router to a third party. I also have a video encoder on IP 172.31.253.2/27.

     

    I need to change the IP of this device before routing it to the third party:

     

    +------------------+       +---------------+        +-------------+       +---------------------------------+
|     Encoder      +------->    SRX240     +-------->Change IP to +-------> Route to third party            |
| 172.31.253.2/27  |       |172.31.253.1/27|        |10.10.10.10  |       | 10.100.0.1/30 --> 10.100.0.2/30 |
+------------------+       +---------------+        +-------------+       +---------------------------------+

    So, how do I perform a NAT before routing it out of an interface? Is this even possible?



  • 2.  RE: NAT before route
    Best Answer

    Posted 06-07-2018 03:13

    No, this is not possible.  Check the packet flow process diagram here for reference on where nat, policy and route lookup operations occur.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

     



  • 3.  RE: NAT before route

    Posted 06-07-2018 03:49

    Thank. So the only option is to either 1) Put another router in front of the device or 2) change the IP of the actual device



  • 4.  RE: NAT before route

    Posted 06-07-2018 04:10

    Sorry, I think I read your question incorrectly the first time.  I thought you were asking if you can perform NAT before the route lookup of the flow.

     

    But looking again I see you want to do normal source NAT before forwarding to the same destination address.  That process is outlined on page 6 of these nat examples.

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     



  • 5.  RE: NAT before route

    Posted 06-07-2018 05:35

    It's hard to tell from that PDF, but I think that this is forwarding on the same subnet as the "untrusted" interface, I want to NAT it to a new IP address and then use the route to the next hop.



  • 6.  RE: NAT before route

    Posted 06-07-2018 16:41

    Here's an example.  The nat rule will use the zone of the ingress 3rd party device interface as from and the egress interface zone as the to address with the pool address of your chosen address.

    set  security nat source pool src_pool address 10.10.10.10/32
    set  security nat source rule-set rs1 from zone trust   <<<< this will be the zone 172.31.253.2/27 is connected to
    set  security nat source rule-set rs1 to zone untrust    <<<< this will be the zone 10.100.0.1/30 is connected to
    set  security nat source rule-set rs1 rule r1 match source-address 0.0.0.0/0
    set  security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    set  security nat source rule-set rs1 rule r1 then source-nat src_pool

     

    the security policy will use and address object for the device and allow any port and destination.  Or you can also restrict these too.


    change trust and untrust to match the zones those on the interfaces already.

    set security zone security-zone trust address-book address 3rd-party 172.31.253.2/32
    set security policies from-zone trust to-zone untrust policy 3rdparty-access match source-address 3rd-party destination-address any application any
    set security policies from-zone trust to-zone untrust policy 3rdparty-access then permit