[j-nsp] SRX Static NAT - Not working in both directions

Oliver Garraux oliver at g.garraux.net
Fri Sep 7 19:08:25 EDT 2012


Brent, Patrick,

Thanks for the replies.

When I change the rule-set to apply to traffic from the user zone, I'm
seeing the same behavior.  The source address on traffic from the
desktop (192.168.35.200) out to the rest of the network isn't being
NAT'ed.  I also can't initiate connections to 192.168.32.5 from the
rest of my network.

I've also tried putting both the user and trust zones in the rule-set.
 In that scenario, I can connect to 192.168.32.5 from outside, but the
outgoing traffic from 192.168.35.200 still isn't NAT'ed.

Thanks,

Oliver

-------------------------------------

Oliver Garraux
Check out my blog:  www.GetSimpliciti.com/blog
Follow me on Twitter:  twitter.com/olivergarraux


On Fri, Sep 7, 2012 at 5:34 PM, Brent Jones <brent at brentrjones.com> wrote:
> Try to apply the static NAT policy to zone 'user' and see how that goes.
>
> On Fri, Sep 7, 2012 at 12:22 PM, Oliver Garraux <oliver at g.garraux.net> wrote:
>> Hey,
>>
>> I recently bought an SRX and have been trying the different NAT
>> configuration options to become more familar with JunOS.
>>
>> Static NAT isn't operating quite as I'd expect from the documentation.
>>  My understanding is that static NAT should be bidirectional, in that
>> it should translate connections going in both directions.
>>
>> I'm using 192.168.32.0/24 on the interface connected to the rest of my
>> network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
>> ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
>> zone.
>>
>> static {
>>     rule-set user_to_trust {
>>         from zone trust;
>>         rule desktop1 {
>>             match {
>>                 destination-address 192.168.32.5/32;
>>             }
>>             then {
>>                 static-nat prefix 192.168.35.200/32;
>>             }
>>         }
>>     }
>> }
>> proxy-arp {
>>     interface ge-0/0/0.100 {
>>         address {
>>             192.168.32.5/32;
>>         }
>>     }
>> }
>>
>>
>> I'm only seeing it translate connections coming in to the destination
>> address (192.168.32.5).  The source address on connections initiated
>> by the "static-nat" address (192.168.35.200 - the address on the
>> desktop sitting behind my SRX) are not being translated to
>> 192.168.32.5.  Am I misunderstanding how static NAT works?
>>
>> I've tried using an IP that is routed to the SRX (where no proxy-arp
>> should have been required in that situation).  I also don't see the
>> address being translated when I look at these flows in "show security
>> flow session", so I don't think this is an issue with proxy-arp.  I'm
>> permitting all traffic between the "user" and "trust" zones (in both
>> directions) in my security policies.
>>
>> Here's one of the flow entries when I try to ping from 192.168.35.200
>> to 192.168.17.16
>>
>> Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
>>   In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
>> Pkts: 1, Bytes: 60
>>   Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
>> ge-0/0/0.100, Pkts: 0, Bytes: 0
>>
>> Any ideas?
>>
>> Thanks,
>>
>> Oliver
>>
>> -------------------------------------
>>
>> Oliver Garraux
>> Check out my blog:  www.GetSimpliciti.com/blog
>> Follow me on Twitter:  twitter.com/olivergarraux
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> Brent Jones
> brent at brentrjones.com


More information about the juniper-nsp mailing list