SRX Services Gateway
Highlighted
SRX Services Gateway

Static Nat configuration help required

‎01-06-2012 03:44 AM

Hi Experts,

 

i am new to Junos as i am converting ScreenOS configuration to Junos SRX240. the configuration not working properly.below are the configuration of both screenOS and Junos. kindly help why its not working.

 

ScreenOS configuration::

 

set interface "ethernet5.12" mip 210.89.XX.XX host 192.168.4.134 netmask 255.255.255.255 vr "gi-vr"

 set policy id 1004 from "SN" to "Internet"  "Any" "Any" "ANY" permit

 

session:

 

id 9537/s**,vsys 0,flag 0c000000/4000/0001,policy 1004,time 30, dip 0 module 0
 if 6(nspflag 801805):192.168.4.134/64595->72.18.154.61/80,6,00144fed4a92,sess token 40,vlan 110,tun 0,vsd 0,route 5,wsf 6
 if 8(nspflag 801804):210.89.XX.XX/64595<-72.18.154.61/80,6,00005e000178,sess token 44,vlan 120,tun 0,vsd 0,route 5,wsf 0

 

JUnos configuration::

 

static {
            rule-set rs1 {
                from zone Internet;
                rule r1 {
                    match {
                        destination-address 210.89.XX.XX/32;
                    }
                    then {
                        static-nat prefix 192.168.4.134/32;
                    }
                }

 

proxy-arp {
            interface reth5.12 {
                address {
                    210.89.XX.XX/32;
                   }
            }
        }

 

session:

 

In: 192.168.4.134/64333 --> 4.2.2.2/53;udp, If: reth3.11, Pkts: 1, Bytes: 60
  Out: 4.2.2.2/53 --> 192.168.4.134/64333;udp, If: reth5.12, Pkts: 0, Bytes: 0

 

so the problem is when traffic come back from zone Internet destination not translating to  this ip

210.89.XX.XX/32;

 

regards

G.F

 


 

 

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Static Nat configuration help required

‎01-08-2012 01:27 AM

Hi Marwat,

 

With the configuration of Junos in your example, if you want to translate IP address of reverse traffic, you should send the traffic with destination (to) zone is Internet, not source (from) zone is Internet.

 

Thanks.

 

JNCIE-SEC
Feedback