[j-nsp] NAT & routing instances

Fri Jan 27 03:52:03 EST 2017

Hey juniper friends,

I have a few ISP links connected to an SRX.  The ISP interfaces are in the
UNTRUST zone and routing instance.  I want to setup some static NATs to LAN
side devices that reside in the master routing instance and also the DMZ
routing instance.  There is no leaking down between the master and DMZ
routing instances to the UNTRUST routing instance, except for the UNTRUST
leaking a 0/0 route.

Can I just use the 'routing-instance' option to allow a packet that
ingresses the untrust to reach a host in the DMZ routing instance?  Does
this just work, or do I still need to leak routes from DMZ to UNTRUST?

rule-set STATIC-NAT {
    from zone UNTRUST;
    rule STATIC-NAT {
        match {
            destination-address-name STATIC-NAT-EXT-1;
            destination-port 443;
        }
        then {
            static-nat {
                prefix-name {
                    STATIC-NAT-INT-1;
                    mapped-port 4443;
                    routing-instance DMZ;  <----- THIS
                }
            }
        }
    }
}

Thanks!
/bs