All traffic from trust zone to internet is set to source-nat "interface" thus it gets natted to the public ip. I want to disable this common natting for all traffic types and have custom static nat rules for specific user subnets but at the same time retain the source-nat interface for other traffic types. I intend to do this by putting in the below commands
set rule NAT-OFF match source-address 10.X.20.0/22
set rule NAT-OFF match destination-address 0.0.0.0/0
set rule NAT-OFF then source-nat off ----------------------------- This should turn off the source-interface nat
and put in below commands or each user subnet residing on different sites
set security nat static rule-set Libpublicip from zone trust to zone untrust set security nat static rule-set Libpublicip rule Libpublicip match source-address 10.X.20.0/24 set security nat static rule-set Libpublicip rule Libpublicip then static-nat prefix <public ip> set proxy-arp interface ge-0/0/15.0 address <public ip>
Then i assume that static-nat will continue to work as configured irrespective of the source-nat being turned off as above ?
Also it is important to note that this NAT will only work for sessions initiated from the internal side of your network. The SRX will apply PAT to these connections on their way out and will be able to differentiate when several replies come back to the public address of the SRX.
If the sessions are initiated from externals hosts sending traffic to the SRX's public IP, the SRX has no way to tell to which internal host those connections are destined to.
Pura Vida from Costa Rica - Mark as Resolved if it applies. Kudos are appreciated too!
Thanks for replying i will test it out and let you know how it goes. The reason why this is being put in place is because due to source-nat interface all sites traffic is getting mapped to egress interface public ip and on the Zscaler all sites show grouped under this single public ip thus a bifurcated view of sites is not visible. The reason to NAT certain sites only is because those sites access some third party databases that need ip level authentication (i.e they manually add public ip's intor their system and tag it to specific customers to authenticate and allow access). The security policies are placed on the Zscaler hence the user traffic has to go to Zscaler for policy checks.The 3rd party vendors do not provide their public ip's whch could have been used to bypass Zscaler for these destinations only rather they provide domain names like *ebsco.com etc which can be used to perform whitelist on the srx firewall but this whitelist cannot be used to redirect traffic to bypass Zscaler gre tunnels ?
You should get a dedicated ip with a vpn to bypass all the restrictions. A lot of deals are out there as it is Cyber Monday, Cyber Monday is one of the biggest shopping events, but it’s also the time when cybercriminals hunt for gullible shoppers. Protect yourself as you snag discounts on your favorite items with PureVPN. They have their own deal for Cyber Monday – 5 Years plan for just $79!
Proxy arp should be enabled for any ip address you are using in a nat pool that is in the same subnet as the egress interface. This will be necessary for the flows to function.
You will NOT use static nat for this application as Pura has pointed out. Static nat is a one ip mapped to another single ip address. This is not a source nat pool so is not applicable here.
Also you will NOT be adding source nat off for your application. You will instead build a list of nat rules from specific first with your current general source nat interface as the last rule on the list. Thus anything that matches your specific rules will apply those and all else falls down to the final source nat interface.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home