[j-nsp] SRX240 Source Natting
Ben Dale
bdale at comlinx.com.au
Wed Sep 26 19:05:28 EDT 2012
On 27/09/2012, at 6:51 AM, Spam <spam-me at fioseurope.net> wrote:
> Hey All,
> Here's another SRX issue I'm having and need help on..
> My SRX is connected on 3 Ports. Each in its own Security Domain and subnet.
> Sec-Domain: Inside
> Subnet1: 10.10.10.0/24
> Subnet2: 20.20.20.0/24
> Sec-Domain: Outside
> Subnet: 59.xx.xx.xx/24 (Publicly Routed Addresses)
> Sec-Domain: ISP
> Subnet: 213.x.x.x/29 (Internet Uplink to ISP)
If I follow correctly, you only want to NAT the Inside Zone to the interface address on the Outside zone?
set security nat source rule-set OUTBOUND-NAT from zone Inside
set security nat source rule-set OUTBOUND-NAT to zone Outside
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 10.10.10.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 20.20.20.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match destination-address 0.0.0.0/0
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then source-nat interface
All you need to add is a security policy allowing traffic from your internal ranges in the Inside zone to any address in the Outside zone.
If you want, you can even match on source-address 0.0.0.0/0 so that if you add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF rule.
Ben
More information about the juniper-nsp
mailing list