[j-nsp] NAT on SRX with routed IP range

Jonathan Call lordsith49 at hotmail.com
Wed Feb 4 16:08:25 EST 2015 

I added a proxy-arp enty:
source {rule-set my-lab-internal {from zone lab-internal;to zone untrust;rule my-lab-inet {match {source-address192.168.2.0/26;}then {source-nat {interface;}}}}}destination {pool lab-plasma {address 192.168.2.2/32 port 8080;}rule-set lab-nats {from zone untrust;rule lab-plasma-1 {match {destination-address 4.5.32.16/32;destination-port 8080;} then {destination-nat pool lab-plasma;}}}}proxy-arp {interface reth0.0 {address {4.5.32.16/32;}}}
The translation hit counter from 'show security nat destination rule all' does not increment so I'm still not hitting the NAT rule. I have the appropriate security policy rules between the untrust and lab-internal zones to allow 8080 inbound and anything outbound.
JonathanDate: Wed, 4 Feb 2015 11:45:26 -0800
Subject: Re: [j-nsp] NAT on SRX with routed IP range
From: tyler at adap.tv
To: lordsith49 at hotmail.com
CC: juniper-nsp at puck.nether.net

We use routed ranges to NAT a few hosts.  The key for us was configuring proxy-arp on the untrust interface for the IPs.
On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com> wrote:
I've seen plenty of examples of a static NAT where the SRX has a public IP range on the untrusted interface. I have not found a good one for when the SRX has an IP range routed to it.

SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface) 4.5.32.16/28Trusted zone: 192.168.2.1/26

show configuration security nat (hopefully this will display properly)

source {    rule-set my-lab-internal {        from zone lab-internal;        to zone untrust;        rule my-lab-inet {            match {                source-address 192.168.2.0/26;            }            then {                source-nat {                    interface;                }            }        }    }}destination {    pool lab-plasma {        address 192.168.2.2/32 port 8080;    }    rule-set lab-nats {        from zone untrust;        rule lab-plasma-1 {            match {                destination-address 4.5.32.16/32;                destination-port 8080;            }            then {                destination-nat pool lab-plasma;            }        }    }}

The result of this configuration is that no NAT occurs. But if I change the destination-address to the SRX's external IP (4.5.6.60) it works just fine.

Jonathan

_______________________________________________

juniper-nsp mailing list juniper-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list