[j-nsp] NAT & routing instances

Per Westerlund p1 at westerlund.se
Fri Jan 27 08:39:44 EST 2017


That should be enough. Forward traffic destination is resolved in the target RI, and the return traffic egress interface is determined by the session set up by the first packet. Note that the security policies should match on post-NAT zones/addresses. 

/Per

> 27 jan. 2017 kl. 09:52 skrev Brian Spade <bitkraft at gmail.com>:
> 
> Hey juniper friends,
> 
> I have a few ISP links connected to an SRX.  The ISP interfaces are in the
> UNTRUST zone and routing instance.  I want to setup some static NATs to LAN
> side devices that reside in the master routing instance and also the DMZ
> routing instance.  There is no leaking down between the master and DMZ
> routing instances to the UNTRUST routing instance, except for the UNTRUST
> leaking a 0/0 route.
> 
> Can I just use the 'routing-instance' option to allow a packet that
> ingresses the untrust to reach a host in the DMZ routing instance?  Does
> this just work, or do I still need to leak routes from DMZ to UNTRUST?
> 
> rule-set STATIC-NAT {
>    from zone UNTRUST;
>    rule STATIC-NAT {
>        match {
>            destination-address-name STATIC-NAT-EXT-1;
>            destination-port 443;
>        }
>        then {
>            static-nat {
>                prefix-name {
>                    STATIC-NAT-INT-1;
>                    mapped-port 4443;
>                    routing-instance DMZ;  <----- THIS
>                }
>            }
>        }
>    }
> }
> 
> Thanks!
> /bs
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list