Interface_nat



  • Is “interface_nat_” supposed to work on SRX with JunOS 10.0?
    I’ve read through various JunOS 10.0 guides and could not find the SRX being not supported.

    Is there another way to redirect traffic directed to the dynamic IP of a external interface?



  • Thats actually working fine, thanks!


  • Engineer

    CTR,
    I’m not sure how the “incoming_nat” feature is working for you.  This is used only in VoIP implementations, like SIP or H323.  This feature takes the SIP NAT sessions, maps the SIP/H323 ALG ports from private to public, so that when an incoming call comes in, it can match who the caller and DID maps to.

    So it looks like what you really want is VIP Same as Untrust.  What happens if you set your destination nat to 0.0.0.0/0?



  • I.e. the example here:
    http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-48237.html#id-48237
    uses “match destination-address incoming_nat_ge-0/0/2.0” so one could dest-nat traffic without knowing the IP on that interface (which is quite common for inexpensive ISP uplinks). But this syntax seems to be unavailable for SRX.

    Destination NAT is working for me right now, but I have to define a pool with the outside address. If the address changes I would have to reconfigure the pool…


  • Engineer

    Ok, I think we all assumed you were referring to the way ScreenOS did interface nat, which is src-nat.

    Did you configure proxy arp, to map the interface arp to the hidden host on the other side of the firewall?

    Can you give more details about your requirement?  Are you looking to nat incoming connections to a protected server?  Perhaps a network topology and what it is you are trying to accomplish will clear up things.

    I assume you followed the app note on nat, http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf (destination nat is near the end of the document)?



  • This is for source nat, I’m looking for destination nat



  • I’m no expert but this does the job for us:
    (version 10.0R1.8;)
    nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }



  • I have a similar configuration running atm, the problem is that the “interface_nat_<name-of-if>” statement also works if you dont know the outside IP address which comes very handy in the case of dynamic IPs…
    But it seems this is not supported by SRX atm.</name-of-if>



  • This is what I did at my home.  Works like a champ for my web server and has no impact on my other PCs internet connection.  I am using an srx210 running JUNOS 9.6, but I am certain that 10 works just as good.

    Hope that helps,
    Clay

    security {
        nat {
            static {
                rule-set allow-web {
                    from interface fe-0/0/7.0;
                    rule r3 {
                        match {
                            destination-address x.x.x.x/32;
                        }
                        then {
                            static-nat prefix y.y.y.y/32;
                        }
                    }
                }
            }
        }
    }


 

54
Online

38.4k
Users

12.7k
Topics

44.5k
Posts