SRX

Expand all | Collapse all

Reverse Static Nat question on SRX

Jump to Best Answer
  • 1.  Reverse Static Nat question on SRX

    Posted 10-04-2017 07:42

     

    Hi everyone,

     

    Case#1

    set security nat static rule-set rs1 from zone untrust

    set security nat static rule-set rs1 rule r1 match destination-address 199.199.199.10

     set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.10.10

    As a result of using static nat, we also have nat in reverse direction where all traffic sourced from 199.199.199.10 will be natted to 10.10.10.10

     

     

     

     

     

     

     

    Capture.PNG-420.PNG

     

     

    Does this " Reverse Static Nat" highlighted above refers to Reverse nat we see in case1?

     

     

    Case#2

    set security nat static rule-set rs1 from zone untrust

    set security nat static rule-set rs1 rule r1 match source-address 188.188.188.10

     set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.10.10

    As a result of using static nat, we also have nat in reverse direction where all traffic sourced from 188.188.188.10 will be natted to  SRC IP 10.10.10.10

    As a result of using Static NAT above we also have Destination for reverse traffic.
    All return traffic will with DEST IP 10.10.10.10 will be natted dest IP 188.188.188.10

     

     

     

    Capture.PNG-420.PNG

     

    Does this " Reverse Static Nat" highlighted above refers to Reverse nat we see in case2?

     

     

     

     

    Thanks and have a nice day!!



  • 2.  RE: Reverse Static Nat question on SRX

     
    Posted 10-04-2017 22:00
    Whats Case#2 here? I see only case#1.

    Regarding reverse static NAT on flow chart, your understanding is correct.


  • 3.  RE: Reverse Static Nat question on SRX

    Posted 10-05-2017 07:32

    Sorry, just fixed it.

     

    Thanks



  • 4.  RE: Reverse Static Nat question on SRX

     
    Posted 10-05-2017 08:26
    Case#1 is correct. Case#2 is incorrect.


  • 5.  RE: Reverse Static Nat question on SRX

    Posted 10-05-2017 08:49

    Hi Suraj,

    Thanks for your response, could you please what is wring in case2?

     

    I am just trying to figure out what is STATIC REVERSE NAT?



  • 6.  RE: Reverse Static Nat question on SRX

     
    Posted 10-06-2017 03:00
    set security nat static rule-set rs1 from zone untrust
    
    set security nat static rule-set rs1 rule r1 match source-address 188.188.188.10
    
     set security nat static rule-set rs1 rule r1 then static-nat prefix 10.10.10.10

    Forward Static nat:  (the direction the rule is written)

    Destination address 188.188.188.10 nats to 10.10.10.10

     

    Reverse Static nat: (the reverse direction that the rule is written)

    Source address 188.188.188.10 nats to 10.10.10.10

     

     



  • 7.  RE: Reverse Static Nat question on SRX

    Posted 10-06-2017 08:59

    Thanks Spuluka,

     

    If you look at case 1 case 2  ,  there is no rule written for reverse traffic but the rule is present implicitly, are such rules too reffered as Reverse static nat  or they have to be written explicitly on order to be called " Reverse static nat" ?

     



  • 8.  RE: Reverse Static Nat question on SRX

     
    Posted 10-06-2017 10:45

    Static NAT is primarily Destination NAT, and you cannot apply Case#2 config, as it dont have a "destination-address" match. SRX wont allow static NAT config without destination address match, you will get error like below.

     

    root@SRX# show security nat
    static {
        rule-set rs1 {
            from zone untrust;
            rule r1 {
                match {
                    source-address 188.188.188.10/32;
                    ## Warning: missing mandatory statement(s): 'destination-address' or 'destination-address-name'
                }
                then {
                    static-nat {
                        prefix {
                            10.10.10.10/32;
                        }
                    }
                }
            }
        }
    }

     

    In simple words, you cannot configure Static NAT just for source NAT. You configure Static NAT when you need a Destination NAT and Source NAT.

     

     



  • 9.  RE: Reverse Static Nat question on SRX

     
    Posted 10-06-2017 14:55

    Thanks Suraj,  I had that backwards and have edited to fix.  The forward primary directxion is destination nat and reverse is srouce nat.

     

    The basic thing to keep in mind is with one nat rule you get a one to one relationship between the ip addresses for both inbound and outbound traffic.  Think of this as a short cut instead of needing to create both a destination rule and a source rule to accomplish the same thing.



  • 10.  RE: Reverse Static Nat question on SRX

    Posted 10-06-2017 17:08

    Thanks for bearing with me,

     

    So " Reverse Static Nat" we see in the packet flow diagram is actually the SOurce nat that occurs in reverse direction when Static destination nat is configured?

     



  • 11.  RE: Reverse Static Nat question on SRX
    Best Answer

     
    Posted 10-06-2017 21:03

    Yes, thats correct.

     

    When you create a static NAT, its inserts an equivalent  Destination NAT rule and Source NAT rule to the flow.