[j-nsp] NAT on SRX with routed IP range
Tyler Christiansen
tyler at adap.tv
Wed Feb 4 14:45:26 EST 2015
We use routed ranges to NAT a few hosts. The key for us was configuring
proxy-arp on the untrust interface for the IPs.
On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com>
wrote:
> I've seen plenty of examples of a static NAT where the SRX has a public IP
> range on the untrusted interface. I have not found a good one for when the
> SRX has an IP range routed to it.
> SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface)
> 4.5.32.16/28Trusted zone: 192.168.2.1/26
> show configuration security nat (hopefully this will display properly)
> source { rule-set my-lab-internal { from zone lab-internal;
> to zone untrust; rule my-lab-inet { match {
> source-address 192.168.2.0/26; } then {
> source-nat { interface; }
> } } }}destination { pool lab-plasma { address
> 192.168.2.2/32 port 8080; } rule-set lab-nats { from zone
> untrust; rule lab-plasma-1 { match {
> destination-address 4.5.32.16/32; destination-port 8080;
> } then { destination-nat pool
> lab-plasma; } } }}
> The result of this configuration is that no NAT occurs. But if I change
> the destination-address to the SRX's external IP (4.5.6.60) it works just
> fine.
> Jonathan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list