SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source Nat match destination

    Posted 06-21-2018 06:17

    I have an srx240b2. 11.47xxxx, I want to know if I can use source nat match destination 0.0.0.0/0 with the internet. I know I can use source nat match source 0.0.0.0/0. Match source is default. The first time I tried match destination 0.0.0.0/0 it dropped my internet and TV cable connection. No DS/US.



  • 2.  RE: Source Nat match destination

    Posted 06-21-2018 10:00
    I guess the real question is.... Is, set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0 really a pointer to the remote host/s ? If so is this for local or global addresses?


  • 3.  RE: Source Nat match destination

    Posted 06-21-2018 11:45

    Same as in my response to your other question:

     https://forums.juniper.net/t5/SRX-Services-Gateway/Source-Nat-options/m-p/329354#M49964

     

    rule to-any-destination {

            match {

                source-address 10.0.0.0/8;

            }

            then {

                source-nat {

                    interface;

                }

            }

        }

     

    Also

    In NATconfigurations you can use ONLY IP addresses.

    You can use IP address that you configured in global address book.

    config will be:

    set security address-book global address Example-destination 8.8.8.8/8

     

    rule to-any-destination {

            match {

                source-address 10.0.0.0/8;

                destination-address-name Example-destination;

            }

            then {

                source-nat {

                    interface;

                }

            }

        }

     

    NAT rule will not accept DNS name from global address book.

     

     

    Regards

     

    Leon Smirnov

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     



  • 4.  RE: Source Nat match destination

    Posted 06-21-2018 15:34
    I am inquiring about the actual address of 0.0.0.0/0 . Are there any comments on this? I am not intent on using 0.0.0.0/0 . Using my gateway pool might be better. Any comments? 192.168.1.0/32 or 24?


  • 5.  RE: Source Nat match destination

    Posted 06-23-2018 07:55

    I'm not sure I follow the questions so forgive if this is also off target.

     

    ---

    I am inquiring about the actual address of 0.0.0.0/0 . Are there any comments on this? I am not intent on using 0.0.0.0/0 . Using my gateway pool might be better. Any comments? 192.168.1.0/32 or 24?

    ---

    the address 0.0.0.0/0 means any ip address for the statement where it is included.

    So in your example above source nat match destination 0.0.0.0/0

    Would be any destination ip address.

     

    More typically the 0.0.0.0/0 would be in the match source-address 0.0.0.0/0 statement for any outbound source address.  But you can use the ip address match for either source or destination.  These are match criteria on which packets will be source address translated and NOT the address they are translated to.

     

    The address that is used as the translation is either the pool address you create or the interface ip of the egress interface as specified in the rule.

     



  • 6.  RE: Source Nat match destination
    Best Answer

    Posted 06-23-2018 18:13
    set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0 worked correctly for me. The default settings for srx240 only include match source-address 0.0.0.0/0 .


  • 7.  RE: Source Nat match destination

    Posted 06-24-2018 03:29

    yes, the default setting for source nat does not include a destination line because it is not needed.  This assumes all destinations and you only need to include that line when you want to restrict the source nat by the destination address. 

     

    Adding the destination match with 0.0.0.0/0 is not necessary.