SRX static nat and policy nat
junzen last edited by
I have to convert small nat config from ASA to SRX like this: static nat for one private adress to public address, connection can originate from both directions, plus nat off when going to specific subnet.
static (inside,outside) 184.108.40.206 10.1.1.2 255.255.255.255
nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip host 10.1.1.2 192.168.1.0 255.255.255.0
How this can be done on SRX? It seems that when you use static NAT, it is always matched before source and destination NAT in both directions and no further exemptions can be configured?
shafi18in last edited by
Hi, this way you cannot initiate the connection form both side. Static Nat is the correct solution . is the specific subnet 192.168.1.0 is part of untrust zone ?
Try this configuration ;
set security nat static rule-set trust-untrust from zone untrust
set security nat static rule-set trust-untrust rule R1 match destination-address 220.127.116.11/32
set security nat static rule-set trust-untrust rule R1 then static-nat prefix 10.1.1.2/32
this configuration exactly replaces static (inside,outside) 18.104.22.168 10.1.1.2 255.255.255.255
Guest last edited by
by default, SRX doesnt have any NAT interface configured. you have to define it.
here is a simple config
for the internet config;
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match sou
set security nat source rule-set trust-to-untrust rule source-nat-rule then sour
for inter subnet connectivity no nat is needed. plain routing and policies between zones.