SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX340 NAT hairpinning

    Posted 02-05-2020 03:31

    Hello,

     

    Currently we use source NAT to access the Internet from LAN:

     

    pool src-nat-pool-office {
    address {
        1.1.1.2/32;
    }
}
rule-set rs1 {
    from zone trust;
    to zone untrust;
    rule office-nat {
        match {
            source-address 192.168.4.0/24;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    src-nat-pool-office;
                }
            }
        }
    }
}

     

    In the same time we use destination NAT to access some resources from the Internet using one of our public IP addresses (BGP):

     

    pool server1 {
    address 192.168.4.123/32;
}
rule-set dnat-rs1 {
    from zone untrust;
    rule r1 {
        match {
            destination-address 1.1.1.3/32;
            destination-port {
                80;
            }
        }
        then {
            destination-nat {
                pool {
                    server1;
                }
            }
        }
    }

     

    Now, we would like to access the "server1" from LAN using public IP address - 1.1.1.3 (this one from destination NAT). How to do that? I read something about NAT hairpinning, but I'm not sure how to use it here. 

     

    Can I ask for help? 🙂



  • 2.  RE: SRX340 NAT hairpinning
    Best Answer

     
    Posted 02-05-2020 04:46

    Hi Gabriel,

     

    Adding the zone trust to the existing destination NAT rule would solve your purpose.

     

    set security nat destination rule-set dnat-rs1 from zone trust

    This will help to trigger the destination NAT for traffic from internal LAN and the soure NAT will also be done which is necessary. Please refer to the KB at https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639 which has an example for hairpin NAT and the requirements.

     

    Hope this helps.

     

    Thanks and Regards,

    Pradeep Kumar

    [KUDOS PLEASE! If you think I earned it!

    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 3.  RE: SRX340 NAT hairpinning

    Posted 02-06-2020 00:33

    Thank you, it worked for me!



  • 4.  RE: SRX340 NAT hairpinning

    Posted 08-23-2023 18:33

    Hi

    I am having the same issue not able to ping servers in the trust from themself using their outside IP. What should I do



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------

    Original Message