[j-nsp] Destination NAT
Per Westerlund
p1 at westerlund.se
Thu Nov 28 05:04:23 EST 2013
No, those source nat rules should have no effect on you problem. When the inbound traffic matches (hopefully) the requirements, a complete flow is set up. The return traffic automatically gets the proper nat handling to match the inbound traffic. The outbound traffic will use source NAT that matches the inbound destination NAT.
The source NAT rules you showed only affect traffic initiate from the trust zone, exiting to the untwist zone.
Your problem is unfortunately somewhere else.
Do you get a session set up at all (could be a problem at the target host)?
show security flow session destination-prefix 24.173.164.162/32 destination-port 3333
It can be helpful to trace the flow setup to see if there is any traffic at all, and where it fails.
/Per
28 nov 2013 kl. 10:53 skrev Mohammad Khalil <eng.mssk at gmail.com>:
> Yes , it's in place with no luck
> set security nat source rule-set trust-to-untrust from zone trust
> set security nat source rule-set trust-to-untrust to zone untrust
> set security nat source rule-set trust-to-untrust rule nonat match source-address 132.147.160.0/24
> set security nat source rule-set trust-to-untrust rule nonat match destination-address 132.150.160.0/24
> set security nat source rule-set trust-to-untrust rule nonat then source-nat off
> set security nat source rule-set trust-to-untrust rule nonat2 match source-address 132.147.160.0/24
> set security nat source rule-set trust-to-untrust rule nonat2 match destination-address 10.6.1.0/24
> set security nat source rule-set trust-to-untrust rule nonat2 then source-nat off
> set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
> set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
> set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
>
> Do the above configuration affect what am doing ? am not that expert in SRX
More information about the juniper-nsp
mailing list