vSRX
vSRX

Double firewalls (not HA) NAT scenario

‎08-15-2018 03:20 AM

Hope someone can give me some idea about the NAT configuration in double firewalls scenario

internet <-> 1st firewall <-> 2nd firewall <-> internal

 

1st firewall is vSRX and 2nd firewall is a palo alto physical device

So far, the static NAT configuration to a FTP server in the internal zone can successfully reach from internet.

What left is the Dynamic IP and Port NAT for internal user to reach internet.

 

NAT on 2nd firewall was done by DIPP on palo alto device. Internal user can reach the zone between the 2 firewalls.

Now I think I need to make NAT on vSRX for the internal user to reach internet.

Should I use "nat static" or "nat source" or any other nat type in this case?

3 REPLIES 3
vSRX
Solution
Accepted by topic author jlotag
‎08-16-2018 12:03 AM

Re: Double firewalls (not HA) NAT scenario

‎08-15-2018 05:56 AM

Hi Jlotag,

 

I can understand that you need perform the NAT along with PAT vSRX for the internal user who can reach internet. I recommend you to configure the source NAT. This would help you to translate the a contiguous block of addresses to another block of addresses of the same size or smaller size.

 

You can refer the below link to configure the same :

# https://www.juniper.net/documentation/en_US/junos/topics/topic-map/nat-security-source-and-source-po...

 

Static NAT is used in the scenarios when you need one-to-one mapping of the IP addresses to perform bidirectional NAT. YOu can refer the below link for better understanding:

 

# https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html

 

Kindly let me know if you face any issue I would help you.

 

Regards,

Rishi

JTAC

[KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

vSRX

Re: Double firewalls (not HA) NAT scenario

‎08-15-2018 06:36 PM

Hello,

 

If FW2 has a link to internet, I assume firewall two has a public IP. Is that correct?

If that is the case, is there a specific reason not to do source nat of FW2?

 

Note:- Document link given by rsurana is still valid if you want to do NAT on FW-1

 

Regards,

 

Rushi

vSRX

Re: Double firewalls (not HA) NAT scenario

‎08-16-2018 12:03 AM

Hello rtilak,

Only FW1 is link to internet. FW2 is behind FW1.