SRX Services Gateway
Highlighted
SRX Services Gateway

SRX 240 NAT: mapping two external IPs to one internal host

[ Edited ]
‎05-27-2014 01:57 AM

Hi all,

 

I am struggling a bit with NAT on our new SRX240. The situation is as follows. I want to translate two public IP addresses to one internal host. This internal host is a TMG server, which redirects traffic to different webservers, based on the URL used.

 

For example:

- The TMG server is using IP 192.168.1.1 and is located in the DMZ zone

- Public IP address one: 10.0.0.1 (coming into the Untrust zone). URL prod.webserver.com

- Public IP address two: 10.0.0.2 (coming into the Untrust zone). URL test.webserver.com

- Proxy ARP is needed

- No port translation needed

- The TMG server redirects incoming http/https traffic to the correct webserver based on the aforementioned URLs.

 

How do I configure this? I cannot use Static NAT because of overlapping. I am probably missing the obvious, but any help would be much appreciated.

 

Thanks in advance!

 

Regards,

 

Erwin G.

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX 240 NAT: mapping two external IPs to one internal host

‎05-27-2014 02:09 AM

Неllo, why not use DNAT  on SRX?

Highlighted
SRX Services Gateway

Re: SRX 240 NAT: mapping two external IPs to one internal host

‎05-27-2014 03:30 AM

Hi,

 

Thanks. I probably need to use DNAT indeed. That would essentially mean creating a pool containing only 1 IP addres, right?

 

So, a possible configuration would be this?:

 

set security nat destination pool dst-nat-web address 192.168.1.1/32
set security nat destination pool dst-nat-web port 443
set security nat destination rule-set Web-Tiers from zone untrust
set security nat destination rule-set Web-Tiers rule Web-Prod match destination-address 10.0.0.1/32
set security nat destination rule-set Web-Tiers rule Web-Prod match destination-port 443
set security nat destination rule-set Web-Tiers rule Web-Prod then destination-nat pool dst-nat-web
set security nat destination rule-set Web-Tiers rule Web-Test match destination-address 10.0.0.2/32
set security nat destination rule-set Web-Tiers rule Web-Test match destination-port 443
set security nat destination rule-set Web-Tiers rule Web-Test then destination-nat pool dst-nat-web

 

And after that creating a appropriate rules to allow the actual traffic...

 

Regards,

 

Erwin G.

 

 

 

Highlighted
SRX Services Gateway

Re: SRX 240 NAT: mapping two external IPs to one internal host

‎05-27-2014 06:40 AM

Hello Erwin,

 

Your configuration is correct!1

Match the public IP's and th eports, use both http and https, if you need to match both the services.

Also, transllate to same internal IP. This should work fine.

Then create appropriate policies. This should contain ideally source any destination as internal Ip (which should be only one, as both translate to same internal IP)

 

Proaxy arp would be required, if your external interface is in same subnet as 10.0.0.x subnet.

 

Regards,

c_r

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!