SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  srx 210 with junos 9.6R1.13 static nat problem

    Posted 10-02-2009 02:23

    Hi guys,

    I have the following static nat configuration

            static {
                rule-set inside-to-outside {
                    from interface fe-0/0/4.0;
                    rule geopc {
                        match {
                            destination-address 192.168.253.4/32;
                        }
                        then {
                            static-nat prefix 10.96.0.153/32;
                        }
                    }
                }
            }
            proxy-arp {
                interface fe-0/0/4.0 {
                    address {
                        192.168.253.4/32;
                    }
                }
            }
     
     
    ....
           from-zone untrust to-zone trust {
                policy permit_all {
                    match {
                        source-address any;
                        destination-address geopc;  //geopc is 10.96.0.153
                        application any;
                    }
                    then {
                        permit;
                    }
                }
    fe-0/0/4.0 is my outside interface which is bound to zone untrust and my pc is on the fe-0/0/2.0 interface which is bound to zone trust.
    Although my pc has access to the outside world, the reverse is not working.
    Do I need to do anything else?
    thanks,
    george


  • 2.  RE: srx 210 with junos 9.6R1.13 static nat problem
    Best Answer

    Posted 10-02-2009 05:15

    Does the proxy-arp work? Does the the pc where you try the connection on get an arp reply? If so did you try a to trace a session?

     

    To set the trace:

     

    set security flow traceoptions file my_trace

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter filter1 sourece-prefix <sourip/32> 

     

    commit of course

     

    To show the trace:

     

    Operational mode:

     

    show log my_trace

     



  • 3.  RE: srx 210 with junos 9.6R1.13 static nat problem

    Posted 10-02-2009 06:12

    can you try doing 'from zone untrust' instead of 'from interface fe-0/0/4' ?

     

    See if that works . . . altho I don't see why it should matter if fe-0/0/4 is bound to untrust and traffic enters on that interface destined for your internal device.

     

     

    also -- not sure if what you pasted was your entire from-zone untrust to-zone trust policy list, but if its not, make sure you put that permit_all rule before the default-deny rule

     

     

    Will



  • 4.  RE: srx 210 with junos 9.6R1.13 static nat problem

    Posted 10-07-2009 02:01

    actually the configuration is working, i had specified the wrong ip in geopc.

    thanks to all who replied