[j-nsp] SRX240 Source Natting

Ben Dale bdale at comlinx.com.au
Wed Sep 26 19:05:28 EDT 2012


On 27/09/2012, at 6:51 AM, Spam <spam-me at fioseurope.net> wrote:

> Hey All,
> Here's another SRX issue I'm having and need help on..
> My SRX is connected on 3 Ports. Each in its own Security Domain and subnet.
> Sec-Domain: Inside
> Subnet1: 10.10.10.0/24
> Subnet2: 20.20.20.0/24
> Sec-Domain: Outside
> Subnet: 59.xx.xx.xx/24  (Publicly Routed Addresses)
> Sec-Domain: ISP
> Subnet: 213.x.x.x/29 (Internet Uplink to ISP)

If I follow correctly, you only want to NAT the Inside Zone to the interface address on the Outside zone?

set security nat source rule-set OUTBOUND-NAT from zone Inside
set security nat source rule-set OUTBOUND-NAT to zone Outside
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 10.10.10.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 20.20.20.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match destination-address 0.0.0.0/0
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then source-nat interface

All you need to add is a security policy allowing traffic from your internal ranges in the Inside zone to any address in the Outside zone.

If you want, you can even match on source-address 0.0.0.0/0 so that if you add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF rule.

Ben


More information about the juniper-nsp mailing list