SRX Services Gateway
SRX Services Gateway

srx 210 with junos 9.6R1.13 static nat problem

10.02.09   |  
‎10-02-2009 02:23 AM

Hi guys,

I have the following static nat configuration

        static {
            rule-set inside-to-outside {
                from interface fe-0/0/4.0;
                rule geopc {
                    match {
                        destination-address 192.168.253.4/32;
                    }
                    then {
                        static-nat prefix 10.96.0.153/32;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/4.0 {
                address {
                    192.168.253.4/32;
                }
            }
        }
 
 
....
       from-zone untrust to-zone trust {
            policy permit_all {
                match {
                    source-address any;
                    destination-address geopc;  //geopc is 10.96.0.153
                    application any;
                }
                then {
                    permit;
                }
            }
fe-0/0/4.0 is my outside interface which is bound to zone untrust and my pc is on the fe-0/0/2.0 interface which is bound to zone trust.
Although my pc has access to the outside world, the reverse is not working.
Do I need to do anything else?
thanks,
george
3 REPLIES
Highlighted
SRX Services Gateway
Solution
Accepted by topic author geo555
‎08-26-2015 01:27 AM

Re: srx 210 with junos 9.6R1.13 static nat problem

10.02.09   |  
‎10-02-2009 05:15 AM

Does the proxy-arp work? Does the the pc where you try the connection on get an arp reply? If so did you try a to trace a session?

 

To set the trace:

 

set security flow traceoptions file my_trace

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter filter1 sourece-prefix <sourip/32> 

 

commit of course

 

To show the trace:

 

Operational mode:

 

show log my_trace

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: srx 210 with junos 9.6R1.13 static nat problem

10.02.09   |  
‎10-02-2009 06:12 AM

can you try doing 'from zone untrust' instead of 'from interface fe-0/0/4' ?

 

See if that works . . . altho I don't see why it should matter if fe-0/0/4 is bound to untrust and traffic enters on that interface destined for your internal device.

 

 

also -- not sure if what you pasted was your entire from-zone untrust to-zone trust policy list, but if its not, make sure you put that permit_all rule before the default-deny rule

 

 

Will

SRX Services Gateway

Re: srx 210 with junos 9.6R1.13 static nat problem

10.07.09   |  
‎10-07-2009 02:01 AM

actually the configuration is working, i had specified the wrong ip in geopc.

thanks to all who replied