SRX Services Gateway
SRX Services Gateway

Source NAT ICMP application in SRX240

‎05-12-2014 12:19 AM

Hi,

 

i would like to know the effect of the below commands. My aim is to get icmp packets nated in SRX240 form Private IP ot a Public IP. was this commands gives me the result ?

 

set security nat source rule-set xxx rule xxx match source-address x.x.x.x/x
set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0
set security nat source rule-set xxx rule xxx match protocol icmp
set security nat source rule-set xxx rule xxx then source-nat interface

 

Policy required for this is already defined.

 

can any one help in this ?

 

Thanks,

Mahesh.

5 REPLIES 5
SRX Services Gateway
Solution
Accepted by topic author MAHESH
‎08-26-2015 01:27 AM

Re: Source NAT ICMP application in SRX240

‎05-12-2014 12:38 AM

Hi Mahesh,

 

                  The NAT policy seems to be fine. Let me give you more inside to it

 

Ex:

Client_ 192.168.1.2/24  --------- [ 192.168.1.1/24; Zone: Turst ---SRX-----Zone: Untrust; 200.200.200.2]---------Internet

 

To get client ip subnet natted below configuration should do

set security nat source rule-set xxx from zone trust

set security nat source rule-set xxx to zone untrust

set security nat source rule-set xxx rule xxx match source-address 192.168.1.1/24

set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0

set security nat source rule-set xxx rule xxx match protocol icmp

set security nat source rule-set xxx rule xxx then source-nat interface

 

To allow ICMP flow following policy needed

set security zones security-zone trust address-book address client_192.168.1.1 192.168.1.1/24

set security policies from-zone trust to-zone untrust policy icmp_allow match source-address client_192.168.1.1

set security policies from-zone trust to-zone untrust policy icmp_allow match destination-address any

set security policies from-zone trust to-zone untrust policy icmp_allow match application junos-icmp-all

set security policies from-zone trust to-zone untrust policy icmp_allow then permit

 

I hope this helps you.

 

Thanks

SHKM

SRX Services Gateway

Re: Source NAT ICMP application in SRX240

‎05-12-2014 01:00 AM

Thank You SHKM. 

 

i will let you know once i impliment this statements.

 

Thanks,

Mahesh.

SRX Services Gateway

Re: Source NAT ICMP application in SRX240

‎05-12-2014 01:28 AM

Sure, and you're welcome Mahesh!

SRX Services Gateway

Re: Source NAT ICMP application in SRX240

‎05-12-2014 03:49 AM

The above config part has been implimented and it got resolved.

 

Thanks,

Mahesh.

Highlighted
SRX Services Gateway

Re: Source NAT ICMP application in SRX240

‎05-12-2014 03:51 AM

Ok good to hear! thanks for posting the result!