[j-nsp] SRX240 Source Natting

Paulhamus, Jon jpaulhamus at IU17.ORG
Fri Sep 28 20:09:47 EDT 2012 

sounds like you're missing proxy arp entries for these addresses on your outside interface.


such as:


set security nat proxy-arp interface ge-0/0/0.0 address 59.1.1.5/32
set security nat proxy-arp interface ge-0/0/0.0 address 59.1.1.6/32


Jon Paulhamus [CCNP, JNCIP-ENT, MCSE]
Assistant Director of Technology
BLaST IU#17


visit us at http://www.iu17.org/

Privileged and Confidential:
The information contained in this message and any attachments hereto is intended solely for the use of the individual or entity to which it was addressed, and may contain confidential or privileged information. If you have received this message in error, please notify the sender and delete the message. The unauthorized use, disclosure, duplication or alteration of this message is strictly forbidden. Although BLaST IU 17 has taken precautions to ensure no viruses are present in this communication, BLaST accepts no responsibility for any loss or damage arising from the use of this message or attachments. BLaST additionally accepts no responsibility for any non-business related content.
________________________________________
From: Spam [spam-me at fioseurope.net]
Sent: Friday, September 28, 2012 4:58 AM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX240 Source Natting

Thanks for the info, I can get NAT working when using the ext interface/ip
as the egress type, but when I try to use a Nat pool with the same address
range as the
interface IP, it doesn't work.

Ext. Interface IP is: 59.1.1.1/24  and Nat Pool using 59.1.1.5/24 to
59.1.1.6/24
Have also tried 59.1.1.5/32 to 59.1.1.6/32 which also doesn't work.

Spammy

-----Original Message-----
From: Ben Dale <bdale at comlinx.com.au>
To: spam-me at fioseurope.net
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Date: Thu, 27 Sep 2012 09:05:28 +1000
Subject: Re: [j-nsp] SRX240 Source Natting



On 27/09/2012, at 6:51 AM, Spam <spam-me at fioseurope.net> wrote:

> Hey All,
> Here's another SRX issue I'm having and need help on..
> My SRX is connected on 3 Ports. Each in its own Security Domain and
subnet.
> Sec-Domain: Inside
> Subnet1: 10.10.10.0/24
> Subnet2: 20.20.20.0/24
> Sec-Domain: Outside
> Subnet: 59.xx.xx.xx/24  (Publicly Routed Addresses)
> Sec-Domain: ISP
> Subnet: 213.x.x.x/29 (Internet Uplink to ISP)

If I follow correctly, you only want to NAT the Inside Zone to the interface
address on the Outside zone?

set security nat source rule-set OUTBOUND-NAT from zone Inside
set security nat source rule-set OUTBOUND-NAT to zone Outside
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
source-address 10.10.10.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
source-address 20.20.20.0/24
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match
destination-address 0.0.0.0/0
set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then
source-nat interface

All you need to add is a security policy allowing traffic from your internal
ranges in the Inside zone to any address in the Outside zone.

If you want, you can even match on source-address 0.0.0.0/0 so that if you
add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF
rule.

Ben
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list