SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Help with NAT configuration.

    Posted 09-30-2017 22:25
      |   view attached

    I have a srx240 and am trying to learn junos the best that I can however I have reached my googling capabilities and simply can not figure out nat!

     

    topology

     

    modem -> ge-0/0/0(untrust) -> ge-0/0/2(trust)

     

     

    I have a  basic internal to external nat configured that works fine

    set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

    However anytime I attempt to create a destination nat to forward a port it breaks ping to my external interface.

     

    set security nat destination pool siege address 10.x.x.x/32
set security nat destination pool siege address port 6015
set security nat destination rule-set internal-to-wan from zone untrust
set security nat destination rule-set internal-to-wan rule siege-wan match destination-address 73.x.x.x/32
set security nat destination rule-set internal-to-wan rule siege-wan then destination-nat pool siege

    any help would be appreciated, I have confirmed that my security policies are not causing this break as ping works correctly as long as the destination nat is not in place. I have attached my scrubbed configuration blanking out important details such as login information / password hashes / IP address information. Thanks for any help offered 🙂

    Attachment(s)

    txt
    junos_configuration.txt   8 KB 1 version


  • 2.  RE: Help with NAT configuration.

    Posted 10-01-2017 00:35

    Your issue is that you haven't defined a destination port on your destination nat rule. That way all traffic to the IP is being nat'ed.

     

    Try add this command and let us know of the result 🙂

     

    set security nat destination rule-set internal-to-wan rule siege-wan match destination-port 6015


  • 3.  RE: Help with NAT configuration.
    Best Answer

    Posted 10-01-2017 08:03
    @jonashauge wrote:

    Your issue is that you haven't defined a destination port on your destination nat rule. That way all traffic to the IP is being nat'ed.

     

    Try add this command and let us know of the result 🙂

     

    set security nat destination rule-set internal-to-wan rule siege-wan match destination-port 6015

    I will try this here in a minute, I really hope it doesnt break ping though, could you explain to me why that would happen? I am very green when it comes to Junos and the SRX platform 🙂 hence why I picked out an old one from work and am using it at the top of my home network.



  • 4.  RE: Help with NAT configuration.

    Posted 10-01-2017 10:15

    That did it! now I am onto an interesting security policy issue... I'll make another post for that as it does not deal with NAT.