vSRX
Highlighted
vSRX

Can I implement a source NAT via static NAT?

[ Edited ]
‎06-25-2019 02:42 AM

a very simple questions for the juniper experts. can Iimplement a source NAT via a static NAT policy? for example this static NAT policy implements a destionation NAT (I tried it in my virtual LAB) :

------------------------

set security nat static rule-set STATIC_NAT_01 from zone trust
set security nat static rule-set STATIC_NAT_01 rule RULE_1 description RULE_01
set security nat static rule-set STATIC_NAT_01 rule RULE_1 match source-address 192.168.10.0/24
set security nat static rule-set STATIC_NAT_01 rule RULE_1 match destination-address 172.16.0.10/32
set security nat static rule-set STATIC_NAT_01 rule RULE_1 then static-nat prefix 1.1.1.1/32

------------------------

 

but what about if I want implement a source NAT using a static NAT policy? is it possible? what is the right syntax?

6 REPLIES 6
Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-25-2019 04:26 AM

You can.

The junos 'static NAT' configuration is a destination NAT. The source-NAT part is implicit.

So, in your configuration - you are basically binding 172.16.0.10/32 with 1.1.1.1/32.

 

Anything sourced from 1.1.1.1/32 will be source-NAT-ed to 172.16.0.10/32 implicitly.

Regards,
Gokul
Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-25-2019 04:29 AM

If you want to source nat 192.168.1.0/24 to 1.1.1.0/24 using static nat, just reverse the logic. Use match zone as egress zone. Example given below. 

 

set security nat static rule-set STATIC_NAT_01 from zone untrust
set security nat static rule-set STATIC_NAT_01 rule RULE_1 description RULE_01
set security nat static rule-set STATIC_NAT_01 rule RULE_1 match destination-address 1.1.1.0/24
set security nat static rule-set STATIC_NAT_01 rule RULE_1 then static-nat prefix 192.168.10.0/24

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-25-2019 06:17 AM

Andrea,

 

Yes that works.

Static NAT is essentially destination NAT, so you can play around the from/to contexts to suit your needs.

 

Cheers

Pooja

Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-25-2019 07:00 AM

Hi andreaquerci,

 

When you implement static NAT, you have a 1 to 1 mapping created for the IPs. So traffic destined to 1.1.1.1 will be translated to 172.16.0.10 and traffic sourced from 172.16.0.10 will use 1.1.1.1 to send it traffic outbound. So no special configuration needed for this!

 

Here is a techpub for your reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!! 🙂

 

Regards,

HS

Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-25-2019 11:54 PM

Yes it is very much possible. Static NAT being destination NAT, you just have to apply static NAT with a reverse flow considering you would want to implement a source NAT.

Highlighted
vSRX

Re: Can I implement a source NAT via static NAT?

‎06-26-2019 11:10 AM

the answer is yes, you can use static nat to have the source nat function.

The difference is that static nat works for traffic initiated from both directions. Source nat only works for traffic initiated from one-direction.

Static nat does cover your source nat need. You check the details from the tech library below:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html

Feedback