SRX Services Gateway
SRX Services Gateway

Source-Nat disable query

2 weeks ago

Hi All, 

 

All traffic from trust zone to internet is set to source-nat "interface" thus it gets natted to the public ip. I want to disable this common natting for all traffic types and have custom static nat rules for specific user subnets but at the same time retain the source-nat interface for other traffic types. I intend to do this by putting in the below commands 

 

set rule NAT-OFF match source-address 10.X.20.0/22  

set rule NAT-OFF match destination-address 0.0.0.0/0

set rule NAT-OFF then source-nat off ----------------------------- This should turn off the source-interface nat

 

and put in below commands or each user subnet residing on different sites

set security nat static rule-set Libpublicip from zone trust to zone untrust
set security nat static rule-set Libpublicip rule Libpublicip match source-address 10.X.20.0/24
set security nat static rule-set Libpublicip rule Libpublicip then static-nat prefix <public ip>
set proxy-arp interface ge-0/0/15.0 address <public ip> 

 

Then i assume that static-nat will continue to work as configured irrespective of the source-nat being turned off as above ? 

 

Please guide.

6 REPLIES 6
SRX Services Gateway

Re: Source-Nat disable query

2 weeks ago

Hi Techvin,

 

Two things to consider here. One, make sure you do not have any rules with the same match i.e. (10.X.20.0/22  and 0.0.0.0/0) before this new rule NAT-OFF.

Second, as you need source-nat "interface" for the rest of the traffic, I suggest you configure another rule after NAT-OFF as below:

 

set rule Others match source-address 0.0.0.0/0

set rule Others match destination-address 0.0.0.0/0

set rule Others then source-nat interface

 

Hope this helps.

 

Thanks and Regards,

Pradeep Kumar M

SRX Services Gateway

Re: Source-Nat disable query

[ Edited ]
2 weeks ago

Techvin,

 

Static NAT is used for 1-to-1 NAT mappings, hence it has to be one address to one address. You are trying to statically mapped a subnet which is not possible.

 

You might want to create other source NAT rule but with a pool containing the public IP that you are looking for.

 

1. Create the pool

 

# set security nat source pool POOL_NAME address [PUBLIC_ADDRESS]

 

2. Create the NAT rule

 

# set security nat source rule RULE_NAME match source-address 10.X.20.0/24
# set security nat source rule RULE_NAME then source-nat pool POOL_NAME

 

Note that this new rule has to be placed above the current rule so it takes prescedence:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21783&actp=METADATA

 

Also it is important to note that this NAT will only work for sessions initiated from the internal side of your network. The SRX will apply PAT to these connections on their way out and will be able to differentiate when several replies come back to the public address of the SRX.

If the sessions are initiated from externals hosts sending traffic to the SRX's public IP, the SRX has no way to tell to which internal host those connections are destined to.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: Source-Nat disable query

a week ago

Thanks for replying i will test it out and let you know how it goes. The reason why this is being put in place is because due to source-nat interface all sites traffic is getting mapped to egress interface public ip and on the Zscaler all sites show grouped under this single public ip thus a bifurcated view of sites is not visible. The reason to NAT certain sites only is because those sites access some third party databases that need ip level authentication (i.e they manually add public ip's intor their system and tag it to specific customers to authenticate and allow access). The security policies are placed on the Zscaler hence the user traffic has to go to Zscaler for policy checks.The 3rd party vendors do not provide their public ip's whch could have been used to bypass Zscaler for these destinations only rather they provide domain names like *ebsco.com etc which can be used to perform whitelist on the srx firewall but this whitelist cannot be used to redirect traffic to bypass Zscaler gre tunnels ?  

SRX Services Gateway

Re: Source-Nat disable query

Monday

Did you check it out? what are the results???

 

You should get a dedicated ip with a vpn to bypass all the restrictions. A lot of deals are out there as it is Cyber Monday, Cyber Monday is one of the biggest shopping events, but it’s also the time when cybercriminals hunt for gullible shoppers. Protect yourself as you snag discounts on your favorite items with PureVPN. They have their own deal for Cyber Monday – 5 Years plan for just $79!

SRX Services Gateway

Re: Source-Nat disable query

Tuesday

Hi,

 

I am preparing the script for it but wanted to know if a proxy-arp should be configured for this like below ? 

set proxy-arp interface ge-0/0/15.0 address <SINGLE PUBLIC IP>

 

Also i will be turning the source-nat off for that user subnet and putting in the static-nat command as mentioned in below threads but will that work as source-nat is turned off ?  

 

Note : The user vlan subnet is getting NATTED to this single public ip as mentioned in the previous post thread

SRX Services Gateway

Re: Source-Nat disable query

Tuesday

Proxy arp should be enabled for any ip address you are using in a nat pool that is in the same subnet as the egress interface.  This will be necessary for the flows to function.

 

You will NOT use static nat for this application as Pura has pointed out.  Static nat is a one ip mapped to another single ip address.  This is not a source nat pool so is not applicable here.

 

Also you will NOT be adding source nat off for your application.  You will instead build a list of nat rules from specific first with your current general source nat interface as the last rule on the list.  Thus anything that matches your specific rules will apply those and all else falls down to the final source nat interface.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home