SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  static nat in both directions?

    Posted 10-10-2009 00:37

    Hi,

     

    Configuring SRX240H w/ 9.6R1.13

     

    If I have a static nat entry configured from zone internet to zone private that translates destination 8.8.8.8 to private zone 10.0.0.8, will that automatically also set the source IP of traffic from 10.0.0.8 to 8.8.8.8 when passing in the opposite direction?  I don't mean the return traffic on established inbound flows/sessions, I mean new outbound sessions/flows destined to anything in the internet zone.

     

    If not, is there an easy way to make that happen, instead of configuring duplicate reverse-direction static nat entries?

     

    Thanks.

     

     


    #direction
    #NAT
    #static
    #reverse
    #session
    #flow
    #automatically


  • 2.  RE: static nat in both directions?
    Best Answer

    Posted 10-11-2009 11:13

    Static NAT is bi-directional. That means that it will source-nat for 10.0.0.8 to 8.8.8.8 as well regardless of which direction initiates the session.

     

    -Richard



  • 3.  RE: static nat in both directions?

    Posted 10-11-2009 19:11

    Thanks Richard.

     

    Do you happen to know if the DNS ALG will also translate DNS replies against static nat entries as well?

     

    ex:  10.0.0.7 does a query against an internet dns server, and the reply is 8.8.8.8, will the ALG automatically change that to 10.0.0.8 when it forwards the reply on to 10.0.0.7

     

    IOS static nat does this...



  • 4.  RE: static nat in both directions?

    Posted 10-15-2009 20:43

    No, there is no nat translation for DNS payload. So if the response says 8.8.8.8, this is what the client will receive.

     

    -Richard



  • 5.  RE: static nat in both directions?

    Posted 12-09-2009 22:32

    What about using Destination nat.... is there a way to do reverse NAT with destination NAT ??

     

    IE:

     

    I have 2  ISP and i configure destination NAT like this:

     

    20.20.20.20 port 80  to   10.10.10.10 port 80

    30.30.30.30 port  80 to 10.10.10.10 port 80

     

    I want that the traffic incoming from the 20.20.20.20 port 80 goes out to this IP interface, the same for the traffic incoming from 30.30.30.30 port 80



  • 6.  RE: static nat in both directions?

    Posted 12-10-2009 20:30

    Reply for traffic coming in from one ISP should match existing session and not need to perform another route lookup. So this should work. If this is not working as expected, then I would suggest enabling flow traceoptions to see how the SRX is handling the traffic.

     

    -Richard



  • 7.  RE: static nat in both directions?

    Posted 12-12-2009 19:33

    Even if i configured Destination NAT ?? it isn't working this way in my case.

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-with-differentes-ISP-on-SRX-240/td-p/31529



  • 8.  RE: static nat in both directions?

    Posted 12-18-2009 05:38

    I solve my problem already... , the problem was that the interfases were configured in different zones and when it  was trying to return the package back i received a "zone missmatch error(i saw it in the a flowtrace file". This is something that doesn't happen on the SSG (almost sure).

     

    my flowtrace file:

     

    Dec 15 18:46:13 18:46:12.987602:CID-1:RT:  route lookup: dest-ip orig ifp reth2.0 output_ifp reth1.0 orig-zone 10 out-zone 9 vsd 2
    Dec 15 18:46:13 18:46:12.987602:CID-1:RT:

    Reject route in make_nsp_ready_no_resolve. zone mismatch

    The traffic was not returning through the incoming interface.

    resource: http://kb.juniper.net/index?page=content&id=KB15545&smlogin=true

     

    Regards,

     

    Layard