This article provides information on setting up the Source and Destination NAT at the same time.
Server[192.168.1.100:22]--------------[192.168.1.210] (SRX) [172.22.135.236]------------Client[Any_IP]
- 172.22.135.240 is the IP address which is reserved for NATing.
- 192.168.1.210 is the Trust Zone interface IP address:
set interfaces fe-0/0/3 unit 0 family inet address 192.168.1.210/24
set security zones security-zone trust interfaces fe-0/0/3.0
- 172.22.135.236 is the Untrust Zone interface IP address:
set interfaces ge-0/0/0 unit 0 family inet address 172.22.135.236/22
set security zones security-zone untrust interfaces ge-0/0/0.0
Objective:
- Translate any IP address coming from the Untrust Zone for 172.22.135.240:2222 to 192.168.1.100:22.
- The source address (any) should be translated to the Trust Interface IP address of the SRX for the same connection.
set security nat destination pool SRX100 address 192.168.1.100/32
set security nat destination pool SRX100 address port 22
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 1A match destination-address 172.22.135.240/32
set security nat destination rule-set 1 rule 1A match destination-port 2222
set security nat destination rule-set 1 rule 1A then destination-nat pool SRX100
Notice that we are using the ip address of 192.168.1.100:22, which is after the Destination NAT is applied; as in the Securlty Logical Path Flow, the Destination NAT always comes before Source NATset security nat source rule-set 1 from zone untrust
set security nat source rule-set 1 to zone trust
set security nat source rule-set 1 rule 1A match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1A match destination-address 192.168.1.100/32
set security nat source rule-set 1 rule 1A match destination-port 22
set security nat source rule-set 1 rule 1A then source-nat interface
set security nat proxy-arp interface ge-0/0/0.0 address 172.22.135.240/32