SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX210HE - Destination NAT problem

    Posted 12-01-2012 18:44

    Dear all, 

     

    I got a problem and my Dest-NAT setting is not working.   Could you please show me how to fix.  Thank you so much!

     

    model: SRX210HE, JUNOS 11.4R5.5

    scenario:

    any connection w/ port 80 ---> 20X.175.X.220  ---> NAT ---> web server 10.20.32.7/32

     

    ISP ADSL modem (20X.175.X.217/27) connected to SRX210 port ge-0/0/0.0 (Untrust).  

    Assigned 20X.175.X.219/27 to ge-0/0/0.0 & ge-0/0/1.0 as Trust (10.20.32.1/20). 

    Destination-NAT that outside can access my web server (10.20.32.7/32).  

    Confirmed that all internal computers & web server can access the internat from Trust to Untrust.  

    ---------------------------------------------------

     

    nat  {

               destination  {

                       pool mypool  {          

                              address 10.20.32.7/32; 

                       }

                       rule-set rs1  {

                              from zone untrust;

                              rule r1  {

                                     match  {

                                             dstination-address 20X.175.X.220/32;

                                      }

                                      then  {

                                             destination-nat pool mypool;

                                      }

                                }

                        }

                } 

         }

         policies  {

                from-zone untrust to-zone trust  {

                        policy p1  {

                                match  {

                                            source-address any;

                                            destination-address web_server;

                                             application any;

                                }

                                then  {

                                        permit;

                                }

                         }

                 }

          }

          zones  {

                   security-zone trust   {

                            address-book  {

                                       address web_server 10.20.32.7/32;

                             }

                   }

                   security-zone untrust  {

                             address-book  {

                                        address www 20X.175.X.220/32;

                             }

                    }

            } 

     

     


    #210destNAT


  • 2.  RE: SRX210HE - Destination NAT problem
    Best Answer

    Posted 12-02-2012 02:54

    Hi,

     

    So you have assigned 20X.175.X.219/27 to the ge-0/0/0.0 interface correct?

     

    You probably just need to proxy-arp for 20X.175.X.220/32 on the same interface.

     

    usrx@srx#set security nat proxy-arp interface ge-0/0/0.0 address 20X.175.X.220/32

     If this does not work please post all you config.



  • 3.  RE: SRX210HE - Destination NAT problem

    Posted 12-03-2012 02:40

    Hi MMcD, 

     

    Yes, It's working after adding proxy-arp.  Thank you for your kind help.