Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure the source NAT for self-generated traffic

0

0

Article ID: KB26372 KB Last Updated: 27 Jul 2020Version: 3.0
Summary:

This article provides information about configuring the source NAT for self-generated traffic.

 

Symptoms:

How to configure source NAT for self-generated traffic

 

Solution:

To configure source NAT for self-generated traffic, use the following methods:

  • Use a Junos host zone in the NAT setting. For example:

    root@SRX220-a-HQ1# show interfaces lo0 
    unit 0 {
        family inet {
            address 1.1.1.1/24;
        }
    }
    root@SRX220-a-HQ1# show security nat              
    source {
        pool test {
            address {
                200.200.200.210/32;
            }
        }
        rule-set test {                     
            from zone junos-host;    <-- HERE
            to zone untrust;
            rule test1 {
                match {
                    source-address 1.1.1.1/32;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        pool {
                            test;
                        }
                    }
                }
            }
        }
    }                         
    proxy-arp {
        interface reth1.0 {
            address {
                200.200.200.210/32;
            }
        }
    }
    root@SRX220-a-HQ1# show security zones security-zone test 
    interfaces {
        lo0.0;
    }
  • Use the routing instance default, instead of zone, in NAT. For example:

    root@SRX220-a-HQ1# show security nat source rule-set test 
    from routing-instance default;   <-- HERE
    to zone untrust;
    rule test1 {
        match {
            source-address 1.1.1.1/32;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    test;
                }
            }
        }
    }
    root@SRX220-a-HQ1# run ping 200.200.200.1 source 1.1.1.1 PING 200.200.200.1 (200.200.200.1): 56 
    data bytes 64 bytes from 200.200.200.1: icmp_seq=0 ttl=64 time=8.013 ms 64 bytes from 200.200.200.1: 
    icmp_seq=1 ttl=64 time=2.612 ms 64 bytes from 200.200.200.1: icmp_seq=2 ttl=64 time=8.491 ms 64 bytes
    from 200.200.200.1:icmp_seq=3 ttl=64 time=2.590 ms ^C

 

Modification History:

2020/07/27: Article reviewed for accuracy; removed version-related statements as both are supported in latest versions

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search