Destination NAT - Many to One



  • I have an srx 210 that I’m trying to configure. I need to nat several public IP addresses to a single IP in the DMZ zone. For the life of me I can’t seem to figure that out. Any help? I have a CheckPoint firewall that does this.

    Scott



  • ^ is a one-to-one mapping.

    Did you ever find a solution? I’m currently trying to deal with the same situation.

    Suppose I have 10.1.1.0/24 as my external internet IP addresses. I have defined a global address-book with EXT_web1; 10.1.1.1, EXT_web2; 10.1.1.2, EXT_web3; 10.1.1.3, etc. I have defined an address-set EXT_web containing all the EXT_web* addresses. I’m trying to forward HTTP and HTTPS to our proxy server.

    [security nat destination]
    pool Proxy-Server {
    address 192.168.20.1/32;
    }

    rule-set Inbound {
    from zone Internet;
    rule w1 {
      match {
        destination-address-name EXT_web1
        destination-port 80
        protocol tcp
      }
      then {
      destination-nat pool Proxy-Server
      }
    }

    But I have 20 IP addresses I need to map, all of them should be mapped to the Proxy-Server address. The only way that seems to work is if I create 20 rules, one for each EXT_web address. Given I also need to map HTTPS I’m going to end up with 40 rules.

    I have tried:
    …. match destination-address-name EXT_web
    But that fails to commit, with a message that an address-set is not allowed here.

    Funnily enough, this is accepted:
    … match destination-address 10.1.1.0/24

    But that maps way too much for me. There just has to be a more elegant way of doing this?



  • Maybe you can try this example configure

    set security nat destination pool 192_168_20_160 address 192.168.20.160/32
    set security nat destination pool 192_168_20_161 address 192.168.20.161/32

    set security nat destination rule-set ToSing-to-DMZ from interface reth3.0
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_160 match source-address 0.0.0.0/0
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_160 match destination-address 10.10.10.36/32
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_160 then destination-nat pool 192_168_20_160
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_161 match source-address 0.0.0.0/0
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_161 match destination-address 10.10.10.37/32
    set security nat destination rule-set ToSing-to-DMZ rule access-to-192_168_20_161 then destination-nat pool 192_168_20_161

    set security nat proxy-arp interface reth3.0 address 10.10.10.36/32
    set security nat proxy-arp interface reth3.0 address 10.10.10.37/32



  • this is one (DMZ) to many (public ip address)  - Source NAT to Multiple ip
    address

    just search the juniper.net/partners for the KB…use your serial number and email address during the registration…

    regards,
    angfe


 

37
Online

38.4k
Users

12.7k
Topics

44.5k
Posts