SRX Services Gateway
SRX Services Gateway

Source NAT interface with logical systems

‎08-21-2013 01:00 AM

I had a previous configuration with source NAT which worked fine. However, we've now implemented several logical systems to isolate different sections of the firewall and I've discovered that source NAT interface is not supported in a logical system other than root!


I had attempted to set up a source nat interface in the LSYS-EXT logical system as below, but the SRX won't accept the commit because of the issue.


The firewall rules and routing are correctly set up so the internal server can reach the egress interface's IP ( but cannot go any further. I appreciate it's not the "Internet" as such, but I used the internet as an analogy as it's identical in principle: the remote server cannot be allowed to see any subnet hence the need to NAT at the edge of the SRX.





Before we implemented the three LSYS, we just had the root one. I had set up source NAT interface and although I didn't actually check the flow inside the Juniper, it was working fine.


I've also set up a destination NAT for traffic coming in the other direction with a proxy arp IP address and that's OK. It's the internal -> external NAT that's the problem.


So can anyone suggest how to achieve this with logical systems in place?


FYI, devices are a pair of clustered SRX3600 running JUNOS 11.4R8.4.


Thoughts most welcome!


Thanks in advance,


SRX Services Gateway

Re: Source NAT interface with logical systems

‎08-21-2013 04:05 AM

Apparently JUNOS 12.1x45 now includes support for source NAT interface with logical systems, so maybe updating to this version is the easiest way forward.


IF anyone has any suggestions on current 11.4R8.4, I'm all ears.