[j-nsp] juniper-nsp Digest, Vol 118, Issue 8

Fri Sep 7 21:22:42 EDT 2012

Your static NAT config looks correct.  do you have any other static NAT rule-sets defined that could match the traffic (initiated from either side)?  IIRC a session is only evaluated against a single NAT rule-set per NAT type, and if multiple match, it will pick the most specific.

I think the order (least to most specific) is from routing-instance --> from zone ---> from interface

another option would be to configure flow traceoptions to try to see why its not NATing the traffic properly.

will

On Sep 7, 2012, at 9:01 PM, juniper-nsp-request at puck.nether.net wrote:

> Message: 1
> Date: Fri, 7 Sep 2012 15:22:34 -0400
> From: Oliver Garraux <oliver at g.garraux.net>
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] SRX Static NAT - Not working in both directions
> Message-ID:
> 	<CAD_uLpM6kwe=j8Br+_N5DQGsN8QQ8xgCDtLxyjXdkBvr=1X0Xw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hey,
> 
> I recently bought an SRX and have been trying the different NAT
> configuration options to become more familar with JunOS.
> 
> Static NAT isn't operating quite as I'd expect from the documentation.
> My understanding is that static NAT should be bidirectional, in that
> it should translate connections going in both directions.
> 
> I'm using 192.168.32.0/24 on the interface connected to the rest of my
> network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX.
> ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user"
> zone.
> 
> static {
>    rule-set user_to_trust {
>        from zone trust;
>        rule desktop1 {
>            match {
>                destination-address 192.168.32.5/32;
>            }
>            then {
>                static-nat prefix 192.168.35.200/32;
>            }
>        }
>    }
> }
> proxy-arp {
>    interface ge-0/0/0.100 {
>        address {
>            192.168.32.5/32;
>        }
>    }
> }
> 
> 
> I'm only seeing it translate connections coming in to the destination
> address (192.168.32.5).  The source address on connections initiated
> by the "static-nat" address (192.168.35.200 - the address on the
> desktop sitting behind my SRX) are not being translated to
> 192.168.32.5.  Am I misunderstanding how static NAT works?
> 
> I've tried using an IP that is routed to the SRX (where no proxy-arp
> should have been required in that situation).  I also don't see the
> address being translated when I look at these flows in "show security
> flow session", so I don't think this is an issue with proxy-arp.  I'm
> permitting all traffic between the "user" and "trust" zones (in both
> directions) in my security policies.
> 
> Here's one of the flow entries when I try to ping from 192.168.35.200
> to 192.168.17.16
> 
> Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid
>  In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200,
> Pkts: 1, Bytes: 60
>  Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If:
> ge-0/0/0.100, Pkts: 0, Bytes: 0
> 
> Any ideas?
> 
> Thanks,
> 
> Oliver