[j-nsp] order of operations for NAT & zone policy enforcement / SRX
Chris Hellberg
chris at chrishellberg.com
Fri Jul 6 09:56:04 EDT 2012
The order is: screen options -> D-NAT -> route lookup -> policy -> S-NAT -> others.
/chris
---
-----Original Message-----
From: Ge Moua <moua0100 at umn.edu>
Sender: juniper-nsp-bounces at puck.nether.net
Date: Fri, 06 Jul 2012 08:41:10
To: <juniper-nsp at puck.nether.net>
Subject: [j-nsp] order of operations for NAT & zone policy enforcement / SRX
j-nsp:
I am running into an issue on Juniper SRX where I am seeing zone policy
deny for destination-based NAT traffic (ie, untrusted to trusted zone).
My assumption for SRX order of operation is as follow:
* perform zone policy enforcement (to dest NAT ip_addr / ARIN public)
* perform NAT translation for dest_ip
It would appear the order of operation here is reversed for flow that
requires destination based NAT& zone policy enforcement:
* peform NAT translation for dest_ip
* perform zone policy enforcement (to real ip_addr / RFC-1918)
Comments or feedback would greatly be appreciated.
--
--
Regards,
Ge Moua
Univ of Minn Alumnus
--
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list