[j-nsp] NAT & routing instances
Brian Spade
bitkraft at gmail.com
Fri Jan 27 13:55:48 EST 2017
Perfect thanks! I plan to test it next week but great to hear that my
understanding is correct. Unfortunately the Juniper SRX documentation is
very sparse on how this exactly works.
Best,
/
On Fri, Jan 27, 2017 at 5:39 AM, Per Westerlund <p1 at westerlund.se> wrote:
> That should be enough. Forward traffic destination is resolved in the
> target RI, and the return traffic egress interface is determined by the
> session set up by the first packet. Note that the security policies should
> match on post-NAT zones/addresses.
>
> /Per
>
> > 27 jan. 2017 kl. 09:52 skrev Brian Spade <bitkraft at gmail.com>:
> >
> > Hey juniper friends,
> >
> > I have a few ISP links connected to an SRX. The ISP interfaces are in
> the
> > UNTRUST zone and routing instance. I want to setup some static NATs to
> LAN
> > side devices that reside in the master routing instance and also the DMZ
> > routing instance. There is no leaking down between the master and DMZ
> > routing instances to the UNTRUST routing instance, except for the UNTRUST
> > leaking a 0/0 route.
> >
> > Can I just use the 'routing-instance' option to allow a packet that
> > ingresses the untrust to reach a host in the DMZ routing instance? Does
> > this just work, or do I still need to leak routes from DMZ to UNTRUST?
> >
> > rule-set STATIC-NAT {
> > from zone UNTRUST;
> > rule STATIC-NAT {
> > match {
> > destination-address-name STATIC-NAT-EXT-1;
> > destination-port 443;
> > }
> > then {
> > static-nat {
> > prefix-name {
> > STATIC-NAT-INT-1;
> > mapped-port 4443;
> > routing-instance DMZ; <----- THIS
> > }
> > }
> > }
> > }
> > }
> >
> > Thanks!
> > /bs
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list