[j-nsp] SRX Static NAT - Not working in both directions

Oliver Garraux oliver at g.garraux.net
Fri Sep 7 15:22:34 EDT 2012 

Hey,

I recently bought an SRX and have been trying the different NAT
configuration options to become more familar with JunOS.

Static NAT isn't operating quite as I'd expect from the documentation.
 My understanding is that static NAT should be bidirectional, in that
it should translate connections going in both directions.

I'm using 192.168.32.0/24 on the interface connected to the rest of my
network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
zone.

static {
    rule-set user_to_trust {
        from zone trust;
        rule desktop1 {
            match {
                destination-address 192.168.32.5/32;
            }
            then {
                static-nat prefix 192.168.35.200/32;
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.100 {
        address {
            192.168.32.5/32;
        }
    }
}


I'm only seeing it translate connections coming in to the destination
address (192.168.32.5).  The source address on connections initiated
by the "static-nat" address (192.168.35.200 - the address on the
desktop sitting behind my SRX) are not being translated to
192.168.32.5.  Am I misunderstanding how static NAT works?

I've tried using an IP that is routed to the SRX (where no proxy-arp
should have been required in that situation).  I also don't see the
address being translated when I look at these flows in "show security
flow session", so I don't think this is an issue with proxy-arp.  I'm
permitting all traffic between the "user" and "trust" zones (in both
directions) in my security policies.

Here's one of the flow entries when I try to ping from 192.168.35.200
to 192.168.17.16

Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
  In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
Pkts: 1, Bytes: 60
  Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
ge-0/0/0.100, Pkts: 0, Bytes: 0

Any ideas?

Thanks,

Oliver

-------------------------------------

Oliver Garraux
Check out my blog:  www.GetSimpliciti.com/blog
Follow me on Twitter:  twitter.com/olivergarraux

More information about the juniper-nsp mailing list