SRX

Hello,

 

I'm new to Juniper and need to set-up some static NAT's on my SRX240. I have reached my limit of 8 rules for Dynamic NAT's so this is why I'm now trying to create a static NAT.

 

I'm trying to allow inbound access for a webserver (port 80) sitting in my DMZ (untrust).

 

Is the following config corrrect?

 

1) Proxy ARP

proxy-arp {
            interface vlan.1 {
                address {
                    218.180.50.22/32;
                }
            }
        }

 

2) Static Nat

static {
            rule-set S-NAT-1000 {
                from zone untrust;
                rule S-NAT-rule-1000 {
                    match {
                        destination-address 218.180.50.22/32/32;
                    }
                    then {
                        static-nat prefix 10.10.20.5/32;
                    }
                }
            }
        } 

 

3) Policy Rule

 from-zone untrust to-zone DMZ {
            policy Website {
                match {
                    source-address any;
                    destination-address WebServer;
                    application junos-http;
                }
                then {
                    permit;
                }
            }

 

So I set the Proxy-ARP to allow the external IP to respond. I then set the static IP address mapping External to Internal. Lastly I set the policy to alloy only port 80 from the Untrust zone to mey DMZ for the webserver.  Is this all correct.

 

Thank you.

Warwick.

Looks fine to me, with exception of a typo I think: destination-address 218.180.50.22/32/32  is a /32 to much I supose.

Thank you,

 

It's working perfectly.