[j-nsp] order of operations for NAT & zone policy enforcement / SRX

Chris Hellberg chris at chrishellberg.com
Fri Jul 6 09:56:04 EDT 2012


The order is: screen options -> D-NAT -> route lookup -> policy -> S-NAT -> others.

/chris
---

-----Original Message-----
From: Ge Moua <moua0100 at umn.edu>
Sender: juniper-nsp-bounces at puck.nether.net
Date: Fri, 06 Jul 2012 08:41:10 
To: <juniper-nsp at puck.nether.net>
Subject: [j-nsp] order of operations for NAT & zone policy enforcement / SRX

j-nsp:
I am running into an issue on Juniper SRX where I am seeing zone policy
deny for destination-based NAT traffic (ie, untrusted to trusted zone).
My assumption for SRX order of operation is as follow:
* perform zone policy enforcement (to dest NAT ip_addr / ARIN public)
* perform NAT translation for dest_ip

It would appear the order of operation here is reversed for flow that
requires destination based NAT&  zone policy enforcement:
* peform NAT translation for dest_ip
* perform zone policy enforcement (to real ip_addr / RFC-1918)

Comments or feedback would greatly be appreciated.


-- 
--
Regards,
Ge Moua

Univ of Minn Alumnus
--

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list