[j-nsp] SRX240 Source Natting
Spam
spam-me at fioseurope.net
Fri Sep 28 04:58:21 EDT 2012
Thanks for the info, I can get NAT working when using the ext interface/ip
as the egress type, but when I try to use a Nat pool with the same address
range as the
interface IP, it doesn't work.
Ext. Interface IP is: 59.1.1.1/24 and Nat Pool using 59.1.1.5/24 to
59.1.1.6/24
Have also tried 59.1.1.5/32 to 59.1.1.6/32 which also doesn't work.
Spammy
-----Original Message-----
From: Ben Dale <bdale at comlinx.com.au>
To: spam-me at fioseurope.net
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Date: Thu, 27 Sep 2012 09:05:28 +1000
Subject: Re: [j-nsp] SRX240 Source Natting
On 27/09/2012, at 6:51 AM, Spam <spam-me at fioseurope.net> wrote:
> Hey All,
> Here's another SRX issue I'm having and need help on..
> My SRX is connected on 3 Ports. Each in its own Security Domain and
subnet.
> Sec-Domain: Inside
> Subnet1: 10.10.10.0/24
> Subnet2: 20.20.20.0/24
> Sec-Domain: Outside
> Subnet: 59.xx.xx.xx/24 (Publicly Routed Addresses)
> Sec-Domain: ISP
> Subnet: 213.x.x.x/29 (Internet Uplink to ISP)
If I follow correctly, you only want to NAT the Inside Zone to the interface
address on the Outside zone?
set security nat source rule-set OUTBOUND-NAT from zone Inside
set security nat source rule-set OUTBOUND-NAT to zone Outside
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
source-address 10.10.10.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
source-address 20.20.20.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
destination-address 0.0.0.0/0
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then
source-nat interface
All you need to add is a security policy allowing traffic from your internal
ranges in the Inside zone to any address in the Outside zone.
If you want, you can even match on source-address 0.0.0.0/0 so that if you
add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF
rule.
Ben
More information about the juniper-nsp
mailing list