[j-nsp] NAT on SRX with routed IP range
Jonathan Call
lordsith49 at hotmail.com
Wed Feb 4 16:08:25 EST 2015
I added a proxy-arp enty:
source {rule-set my-lab-internal {from zone lab-internal;to zone untrust;rule my-lab-inet {match {source-address192.168.2.0/26;}then {source-nat {interface;}}}}}destination {pool lab-plasma {address 192.168.2.2/32 port 8080;}rule-set lab-nats {from zone untrust;rule lab-plasma-1 {match {destination-address 4.5.32.16/32;destination-port 8080;} then {destination-nat pool lab-plasma;}}}}proxy-arp {interface reth0.0 {address {4.5.32.16/32;}}}
The translation hit counter from 'show security nat destination rule all' does not increment so I'm still not hitting the NAT rule. I have the appropriate security policy rules between the untrust and lab-internal zones to allow 8080 inbound and anything outbound.
JonathanDate: Wed, 4 Feb 2015 11:45:26 -0800
Subject: Re: [j-nsp] NAT on SRX with routed IP range
From: tyler at adap.tv
To: lordsith49 at hotmail.com
CC: juniper-nsp at puck.nether.net
We use routed ranges to NAT a few hosts. The key for us was configuring proxy-arp on the untrust interface for the IPs.
On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com> wrote:
I've seen plenty of examples of a static NAT where the SRX has a public IP range on the untrusted interface. I have not found a good one for when the SRX has an IP range routed to it.
SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface) 4.5.32.16/28Trusted zone: 192.168.2.1/26
show configuration security nat (hopefully this will display properly)
source { rule-set my-lab-internal { from zone lab-internal; to zone untrust; rule my-lab-inet { match { source-address 192.168.2.0/26; } then { source-nat { interface; } } } }}destination { pool lab-plasma { address 192.168.2.2/32 port 8080; } rule-set lab-nats { from zone untrust; rule lab-plasma-1 { match { destination-address 4.5.32.16/32; destination-port 8080; } then { destination-nat pool lab-plasma; } } }}
The result of this configuration is that no NAT occurs. But if I change the destination-address to the SRX's external IP (4.5.6.60) it works just fine.
Jonathan
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list