[j-nsp] order of operations for NAT & zone policy enforcement / SRX
Ge Moua
moua0100 at umn.edu
Fri Jul 6 09:41:10 EDT 2012
j-nsp:
I am running into an issue on Juniper SRX where I am seeing zone policy
deny for destination-based NAT traffic (ie, untrusted to trusted zone).
My assumption for SRX order of operation is as follow:
* perform zone policy enforcement (to dest NAT ip_addr / ARIN public)
* perform NAT translation for dest_ip
It would appear the order of operation here is reversed for flow that
requires destination based NAT& zone policy enforcement:
* peform NAT translation for dest_ip
* perform zone policy enforcement (to real ip_addr / RFC-1918)
Comments or feedback would greatly be appreciated.
--
--
Regards,
Ge Moua
Univ of Minn Alumnus
--
More information about the juniper-nsp
mailing list