Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Source and Destination NAT at the same time

0

0

Article ID: KB22123 KB Last Updated: 16 Nov 2011Version: 1.0
Summary:
This article provides information on setting up the Source and Destination NAT at the same time.
Symptoms:
Server[192.168.1.100:22]--------------[192.168.1.210] (SRX) [172.22.135.236]------------Client[Any_IP]

  • 172.22.135.240 is the IP address which is reserved for NATing.

  • 192.168.1.210 is the Trust Zone interface IP address:
    set interfaces fe-0/0/3 unit 0 family inet address 192.168.1.210/24
    set security zones security-zone trust interfaces fe-0/0/3.0
  • 172.22.135.236 is the Untrust Zone interface IP address:
    set interfaces ge-0/0/0 unit 0 family inet address 172.22.135.236/22
    set security zones security-zone untrust interfaces ge-0/0/0.0

Objective:
  1. Translate any IP address coming from the Untrust Zone for 172.22.135.240:2222 to 192.168.1.100:22.

  2. The source address (any) should be translated to the Trust Interface IP address of the SRX for the same connection.
Cause:

Solution:
set security nat destination pool SRX100 address 192.168.1.100/32
set security nat destination pool SRX100 address port 22
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 1A match destination-address 172.22.135.240/32
set security nat destination rule-set 1 rule 1A match destination-port 2222
set security nat destination rule-set 1 rule 1A then destination-nat pool SRX100

 Notice that we are using the ip address of 192.168.1.100:22, which is after the Destination NAT is applied; as in the Securlty Logical Path Flow, the Destination NAT always comes before Source NAT
set security nat source rule-set 1 from zone untrust
set security nat source rule-set 1 to zone trust
set security nat source rule-set 1 rule 1A match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1A match destination-address 192.168.1.100/32
set security nat source rule-set 1 rule 1A match destination-port 22
set security nat source rule-set 1 rule 1A then source-nat interface

set security nat proxy-arp interface ge-0/0/0.0 address 172.22.135.240/32

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search