Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Accessing a Static NAT from inside your network

0

0

Article ID: KB17448 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:
When accessing a static IP from inside your network, it does not work without configuring settings to do so.
Symptoms:
The goal is to be able to access the Static NAT from inside your trusted network.  By default you can access it inbound but not from inside.
Solution:
Topology:

Egress interface is on fe-2/0/0 which is in the untrust zone and the external address is 10.8.24.195.
Ingress is on ge-0/0/0 which is in the trust zone and the internal address is 10.3.1.135 which is the exchange server for ex.
10.8.24.195
    |
   \|/
fe-2/0/0
    |
    |NAT through the SRX or J-Series device
ge-0/0/0 is 10.3.1.1
    |
inside the trust zone is the exchange server at 10.3.1.135



A node inside the network pointing at 10.8.24.195 has to go through the SRX or J-Series device to access the NAT pointing to 10.3.1.135. If the settings are not set on the SRX or J-Series device, the NAT will not work for internal users.
You must do the following:
1) edit security nat static
  (create your source nat for interzone)
  nat {
        source {
            rule-set out {
                from zone trust;
                to zone untrust;
            rule-set trust_to_trust {   <------create a source rule from zone to zone
                from zone trust;
                to zone trust;
                rule exchange {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
(Create a static NAT under security NAT)
        static {   <---------create a static nat
            rule-set inboundmail {
                from interface [ ge-0/0/0.0 fe-0/0/2.0 ];   <-------add the external as well as the internal interface
                rule exchange {
                    match {
                        destination-address 10.8.24.195/32;
                    }
                    then {
                        static-nat prefix 10.3.1.135/32;
                    }
                }
            }
        }
(Remember to set your proxy arp)       
     proxy-arp {
            interface fe-0/0/2.0 { <------add the proxy arp for the static nat that you created
                address {
                    10.8.24.195/32;
                }
            }
        }
    }


(Create your policy for inbound NAT under security policy)
    from-zone untrust to-zone trust {  <-------here is your inbound policy
     policy inbound {
                match {
                    source-address any;
                    destination-address exchange;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    
    (Create a policy from trust to trust for internal zone) <--------create a intra zone policy
     
     from-zone trust to-zone trust
     policy inbound {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search