Configuring static NAT, PORT forwarding to same private IP causing issue



  • I have the following setup.

    Public –-----------|    SRX  |-----------LAN
                            fe-0/0/4.52  fe-0/0/1

    I configured the two public IPs P1 (10.147.52.30), P2 (10.147.52.36) on the fe-0/0/4.52 interface.
    Now I want to configure the static NAT, port forwarding on these interface.

    I am configuring the static NAT, port forwarding to the same private/LAN IP 10.0.127.126

    After configuring static nat for static NAT, destination NAT for port forwarding I will configure the security poclicy.
    Here I want to configure the seperate security policy for static nat, port forwarding.

    Static NAT should work when                    —>        static NAT + security policy
    port forwarding should work only          —>        destination NAT + security policy.

    Here the problem is security policy configured, is working for static NAT, port forwarding.

    port forwarding rule:

    set security nat destination rule-set untrust rule destnatrule-1311310628 match destination-address 10.147.52.30/32
    set security nat destination rule-set untrust rule destnatrule-1311310628 match destination-port 22
    set security nat destination rule-set untrust rule destnatrule-1311310628 then destination-nat pool 10-0-127-126-22

    Static NAT rule:

    set security nat static rule-set untrust rule 10-147-52-36-10-0-127-126 match destination-address 10.147.52.36/32
    set security nat static rule-set untrust rule 10-147-52-36-10-0-127-126 then static-nat prefix 10.0.127.126/32

    Security policy for port forwarding:

    set security policies from-zone untrust to-zone trust policy destnat-untrust-trust-10-0-127-126 match source-address any
    set security policies from-zone untrust to-zone trust policy destnat-untrust-trust-10-0-127-126 match destination-address 10-0-127-126
    set security policies from-zone untrust to-zone trust policy destnat-untrust-trust-10-0-127-126 match application tcp-22-22
    set security policies from-zone untrust to-zone trust policy destnat-untrust-trust-10-0-127-126 then permit

    I want static nat to success only when I configure a security policy for it. Right now with the above rules the static nat
    is working because of the port forwarding security policy.

    10.147.28.6 ----ssh—> 10.147.52.30    - success connected to 10.0.127.126
    10.147.28.6 ----ssh—> 10.147.52.36    - success but I want it to fail because I did not configured the security policy.

    Any idea on how do I configure a security policy for interface public IP specific ?

    Thanks,
    Jayapal



  • I want to know the solution for this, Any comments or ideas please respond


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts