SRX static nat and policy nat



  • Hello,

    I have to convert small nat config from ASA to SRX like this: static nat for one private adress to public address, connection can originate from both directions, plus nat off when going to specific subnet.

    static (inside,outside) 1.1.1.2 10.1.1.2 255.255.255.255
    nat (inside) 0 access-list EXEMPT
    access-list EXEMPT extended permit ip host 10.1.1.2 192.168.1.0 255.255.255.0

    How this can be done on SRX? It seems that when you use static NAT, it is always matched before source and destination NAT in both directions and no further exemptions can be configured?



  • Hi, this way you cannot initiate the connection form both side. Static Nat is the correct solution .  is the specific subnet 192.168.1.0 is part of untrust zone ?

    Try this configuration ;

    set security nat static rule-set trust-untrust from zone untrust
    set security nat static rule-set trust-untrust rule R1 match destination-address 1.1.1.2/32
    set security nat static rule-set trust-untrust rule R1 then static-nat prefix  10.1.1.2/32

    this configuration exactly replaces  static (inside,outside) 1.1.1.2 10.1.1.2 255.255.255.255



  • by default, SRX doesnt have any NAT interface configured. you have to define it.

    here is a simple config

    for the internet config;

    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match sou
    rce-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then sour
    ce-nat interface

    for inter subnet connectivity no nat is needed. plain routing and policies between zones.


 

27
Online

38.5k
Users

12.7k
Topics

44.5k
Posts