[j-nsp] SRX240 Source Natting

[Spam]

Thanks for the info, I can get NAT working when using the ext interface/ip
as the egress type, but when I try to use a Nat pool with the same address 
range as the 
interface IP, it doesn't work.

Ext. Interface IP is: 59.1.1.1/24  and Nat Pool using 59.1.1.5/24 to 
59.1.1.6/24
Have also tried 59.1.1.5/32 to 59.1.1.6/32 which also doesn't work.

Spammy

-----Original Message-----
From: Ben Dale <bdale at comlinx.com.au>
To: spam-me at fioseurope.net
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Date: Thu, 27 Sep 2012 09:05:28 +1000
Subject: Re: [j-nsp] SRX240 Source Natting



On 27/09/2012, at 6:51 AM, Spam <spam-me at fioseurope.net> wrote:

> Hey All,
> Here's another SRX issue I'm having and need help on..
> My SRX is connected on 3 Ports. Each in its own Security Domain and 
subnet.
> Sec-Domain: Inside
> Subnet1: 10.10.10.0/24
> Subnet2: 20.20.20.0/24
> Sec-Domain: Outside
> Subnet: 59.xx.xx.xx/24  (Publicly Routed Addresses)
> Sec-Domain: ISP
> Subnet: 213.x.x.x/29 (Internet Uplink to ISP)

If I follow correctly, you only want to NAT the Inside Zone to the interface 
address on the Outside zone?

set security nat source rule-set OUTBOUND-NAT from zone Inside
set security nat source rule-set OUTBOUND-NAT to zone Outside
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match 
source-address 10.10.10.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match 
source-address 20.20.20.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match 
destination-address 0.0.0.0/0
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then 
source-nat interface

All you need to add is a security policy allowing traffic from your internal 
ranges in the Inside zone to any address in the Outside zone.

If you want, you can even match on source-address 0.0.0.0/0 so that if you 
add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF 
rule.

Ben