[j-nsp] NAT on SRX with routed IP range

Tyler Christiansen tyler at adap.tv
Wed Feb 4 16:52:00 EST 2015 

Ah, sorry, I misunderstood.  We're using static NAT.  Here's a short
example.

> show configuration security nat static rule-set static-NATs
from zone untrust;
rule <name> {
    match {
        destination-address <external routed destination>;
        destination-port <external port>;
    }
    then {
        static-nat {
            prefix {
                <real host>;
                mapped-port <real port>;
            }
        }
    }
}




On Wed, Feb 4, 2015 at 1:08 PM, Jonathan Call <lordsith49 at hotmail.com>
wrote:

> I added a proxy-arp enty:
>
> source {
> rule-set my-lab-internal {
> from zone lab-internal;
> to zone untrust;
> rule my-lab-inet {
> match {
> source-address192.168.2.0/26;
> }
> then {
> source-nat {interface;
> }
> }
> }
> }
> }
> destination {
> pool lab-plasma {
> address 192.168.2.2/32 port 8080;
> }
> rule-set lab-nats {
> from zone untrust;
> rule lab-plasma-1 {
> match {
> destination-address 4.5.32.16/32;
> destination-port 8080;
> }
>  then {
> destination-nat pool lab-plasma;
> }
> }
> }
> }
> proxy-arp {
> interface reth0.0 {
> address {
> 4.5.32.16/32;
> }
> }
> }
>
> The translation hit counter from 'show security nat destination rule all'
> does not increment so I'm still not hitting the NAT rule. I have the
> appropriate security policy rules between the untrust and lab-internal
> zones to allow 8080 inbound and anything outbound.
>
> Jonathan
>
>
> ------------------------------
> Date: Wed, 4 Feb 2015 11:45:26 -0800
> Subject: Re: [j-nsp] NAT on SRX with routed IP range
> From: tyler at adap.tv
> To: lordsith49 at hotmail.com
> CC: juniper-nsp at puck.nether.net
>
>
> We use routed ranges to NAT a few hosts.  The key for us was configuring
> proxy-arp on the untrust interface for the IPs.
>
> On Wed, Feb 4, 2015 at 11:24 AM, Jonathan Call <lordsith49 at hotmail.com>
> wrote:
>
> I've seen plenty of examples of a static NAT where the SRX has a public IP
> range on the untrusted interface. I have not found a good one for when the
> SRX has an IP range routed to it.
> SRX Public IP: 4.5.6.60/30Routed IP range (via the public interface)
> 4.5.32.16/28Trusted zone: 192.168.2.1/26
> show configuration security nat (hopefully this will display properly)
> source {    rule-set my-lab-internal {        from zone lab-internal;
>   to zone untrust;        rule my-lab-inet {            match {
>     source-address 192.168.2.0/26;            }            then {
>         source-nat {                    interface;                }
>     }        }    }}destination {    pool lab-plasma {        address
> 192.168.2.2/32 port 8080;    }    rule-set lab-nats {        from zone
> untrust;        rule lab-plasma-1 {            match {
> destination-address 4.5.32.16/32;                destination-port 8080;
>           }            then {                destination-nat pool
> lab-plasma;            }        }    }}
> The result of this configuration is that no NAT occurs. But if I change
> the destination-address to the SRX's external IP (4.5.6.60) it works just
> fine.
> Jonathan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>

More information about the juniper-nsp mailing list