SRX Services Gateway
SRX Services Gateway

access to public NAT IP from device in DMZ zone

‎05-14-2013 04:40 AM

Greetings all,

I've an odd request from a customer. Basically they have a piece of software in their DMZ on a SRX240, this software sits on a device with a 172.16.100.x IP address.


It has a destination NAT from the untrust zone to the DMZ zone i.e. 217.111.119.x -->> 172.16.100.x, this works fine.


The customer says though that the software needs access to the public IP for installation....this seems to be blocked.


I've checked the policy table and there is no blocking between these zones.


I did a ping from the DMZ gateway to the interface IP on the untrust zone 217.111.119.x and that works fine.


But when I do the ping to the NAT'd public IP address the ping fails.


Any tips here?





SRX Services Gateway

Re: access to public NAT IP from device in DMZ zone

[ Edited ]
‎05-14-2013 08:29 AM

Hi Paul,


This is a fairly common issue whe doing Destination NAT:


You'll need to adjust your destination NAT rule so that the source zone includes both your "Untrust" and any other zones that you need to access it from - like the DMZ in your case.  Even though the destination IP address doesn't technically belong in the DMZ zone, the NAT policy will still translate connections to it.


As for the host needing to connect to itself over a NATted IP - that's certainly a new one for me Smiley Wink but if you're still having issues make sure there is an intrazone policy configured from zone DMZ to zone DMZ and this *may* just work.  


I suspect the host probably needs to connect to itself via a FQDN which is resolving to it's public IP address which is where the DNAT comes into play.


If you still have issues getting that to work, try manually editing the hosts file on the machine so that the FQDN resolves to the private address of the box - that should bypass any issues you'll have with the SRX and NAT.

Ben Dale
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: access to public NAT IP from device in DMZ zone

‎05-14-2013 08:37 AM

Hi Ben,

thanks very much for your input and suggestions. I've forwarded this link to the customer so they can have a read for themselves.


I also suggested they use the "real" public IP address configured on the untrust interface and try and do their install. Waiting on feedback.


Will keep you posted.