SRX

Expand all | Collapse all

Order of Operation: Source NAT and Security Policy

Jump to Best Answer
  • 1.  Order of Operation: Source NAT and Security Policy

    Posted 08-15-2017 07:45

    Hi every one,

     

    What is the order of opertaion when it comes to source NAT and Security policy on SRX ?  Is security policy is evaluated first i.e PRE nat SRC IP is taken into considertaion  or Post NAT SRC IP is taken into considertaion for plocy?

     

    Thanks and have a good day !!



  • 2.  RE: Order of Operation: Source NAT and Security Policy
    Best Answer

    Posted 08-15-2017 08:32

    Source NAT is evaluated after policy evaluation - see flowchart for Junos flow module below.

    jsec_0801



  • 3.  RE: Order of Operation: Source NAT and Security Policy

    Posted 08-16-2017 09:20

    Thanks for your response.

     

    In the diagram  does STATIC NAT refer  to destination nat configured statically?

    In the diagram does  Reverse Static NAT refer to Source NAT configured statically?

     

    Thanks and have a good day!!

     

     



  • 4.  RE: Order of Operation: Source NAT and Security Policy

     
    Posted 08-16-2017 16:15

    No, static nat is a separate configuration option that does nat in both directions once configured.

     

    See examples of each here.

     

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf



  • 5.  RE: Order of Operation: Source NAT and Security Policy

    Posted 01-22-2018 06:00

    Hi Spukla & community,

    Sorry for Jumping in the middle.

    This is my first participation in the form for 2 reasons : 1) resolve issue with my firewall config 2) preparing for JNCIA test.

    I would like to set correct additional syntacs in my NAT policies for the  below senario:

    1)I have 3 servers with static IP 172.x.x.101/102/103 inmy trust Zone

    2)Those servers have to be remoted from untrust zone under Wan IP 201.x.x.x and from PC S range IPs 10.x.x.10 to 250 & 192.x.x.10 to 250

    I tried as below with error in the console terminal :

    set security address-book UNTRUST-Book address-set Fujitsu-Server address 201.x.x.x/32
    set security nat destination pool Fujitsu-Server-Pool address 172.x.x.101/32
    set security nat destination rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    set security nat destination rule-set rs1 rule r1 then destination-nat pool Fujitsu-Server-Pool
    set security zones security-zone Fujitsu-Server address-book address Server-HTTP-1 172..x.x.101
    set security zones security-zone Fujitsu-Server address-book address Server-HTTP-2 172..x.x.102
    set security zones security-zone Fujitsu-Server address-book address Server-HTTP-3 172..x.x.103
    set security policies from-zone untrust to-zone Fujitsu-Server policy server-access match source-address 192.x.x..10 to 192.x.x.250

    set security policies from-zone untrust to-zone Fujitsu-Server policy server-access match source-address 10.x.x..10 to 10.x.x.250
    set security policies from-zone untrust to-zone Fujitsu-Server policy server-access match destination-address Server-HTTP-1 Server-HTTP-2 Server-HTTP-3 
    set security policies from-zone untrust to-zone Fujitsu-Server policy server-access match application junos-http
    set security policies from-zone untrust to-zone Fujitsu-Server policy server-access then permit

     

    Thank you in  advance  for help



  • 6.  RE: Order of Operation: Source NAT and Security Policy

     
    Posted 01-23-2018 02:45

    Your destination nat rule set is missing the zone context.

    You also cannot use 0.0.0.0 as the destination you need to specifiy the public addresses 

    And you need a separate rule for all three servers as a result.

     

    See page 9 here for the full example

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf