SRX Services Gateway
SRX Services Gateway

SRX firewall nat or route interface.

10.06.09   |  
‎10-06-2009 03:07 AM

Hi all,

 

In SRX series, do we have some thing like ScreenOS as below ?

 

set interface ethernet0/0 route

set interface ethernet0/1 nat

 

Or in SRX each every interface mode i cant change it ?

 

thank you

3 REPLIES
Highlighted
SRX Services Gateway

Re: SRX firewall nat or route interface.

10.06.09   |  
‎10-06-2009 04:10 AM

Hi Lim,

 

The SRX does not support interface natting. All natting has to be doen in the NAT policy. To simulate the same natting you can use this policy:

 

security {
    nat {
        source {
            rule-set outbound-source-nat {
                from zone trust;
                to zone untrust;
                rule default {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

 

To enter this in your config:

 

set security nat source rule-set outbound-source-nat from zone trust
set security nat source rule-set outbound-source-nat to zone untrust
set security nat source rule-set outbound-source-nat rule default match source-address 0.0.0.0/0
set security nat source rule-set outbound-source-nat rule default then source-nat interface

And a commit of course.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: SRX firewall nat or route interface.

10.06.09   |  
‎10-06-2009 10:54 AM

hi,

 

thanks for the help. In SRX, if the interface i wan to be in "route mode", i just need not do any nat policy so the interface will be in route mode ?

 

Thank you

Meng Kiat

SRX Services Gateway

Re: SRX firewall nat or route interface.

10.06.09   |  
‎10-06-2009 01:37 PM

Hi,

 

in SRX there's no such thing as route mode or nat mode. If you like think of all interfaces as in route mode. On ScreenOS when trust interface is in NAT mode all traffic from trust zone to untrust is natted on Egress (untrust) interface with PAT. The nat policy I showed gives the same behaviour.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.