SRX Services Gateway
Highlighted
SRX Services Gateway

Simple NAT question about accessing mail services behind the SRX

‎05-12-2015 06:01 AM

Hey all you helpful folks, this should be an easy one.

 

First, some background:
I was asked to setup the networking for an Exchange server.  It's in a DMZ security zone and I initially setup destination NAT to translate only SMTP and HTTPS traffic to it.  The outgoing address, however, was not the public IP I wanted to use for mail, so I instead setup a static NAT and that fixed the outgoing address issue.  

 

My questions:

1.  Is there a security or performance drawback to using static NAT instead of source + destination NAT?  Obviously I'm still using security policies to only allow incoming ports 25 and 443, but the other traffic now makes it past NAT to the policy on the flow.

 

2. Is there a better or documented way to setup the typical exchange server behind an SRX that I'm just unable to locate?

 

Thanks!

Joe

2 REPLIES 2
Highlighted
SRX Services Gateway
Solution
Accepted by topic author PortlandJoe
‎08-26-2015 01:27 AM

Re: Simple NAT question about accessing mail services behind the SRX

‎05-12-2015 06:07 AM

Hello Joe ,

 

1.  Is there a security or performance drawback to using static NAT instead of source + destination NAT?  Obviously I'm still using security policies to only allow incoming ports 25 and 443, but the other traffic now makes it past NAT to the policy on the flow.

> That should not be a problem since it will be checked during policy lookup . Static NAT is a good option .

 

2. Is there a better or documented way to setup the typical exchange server behind an SRX that I'm just unable to locate?

> Generally we configure Static NAT to  connect to servers ( Exchange/Web) behind the SRX if need to be accessed from Public network . So what you have done is a typical way of doing it .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Simple NAT question about accessing mail services behind the SRX

‎05-12-2015 08:39 AM

Thanks for the confirmation!