SRX

Expand all | Collapse all

STATIC DESTINATION NAT Question

Jump to Best Answer
  • 1.  STATIC DESTINATION NAT Question

    Posted 09-28-2017 19:08

     

    Hi everyone.

     

    I have some questions about STATIC NAT.

     

    On Cisco Platform:

     SERVER--10.10.10.1------10.10.10.10  -F1-(INSIDE)--R1-F2-(OUTSIDE)-----INTERNET

     

    R1 is configured with STATIC NAT  to translate destination IP 199.199.199.10 to 10.10.10.10 for all packets received on OUTSIDE interface f2.

    As a byproduct of using this command all packets that are sourced 10.10.10.10 destined to Internet will have SRC IP replaced by 199.199.199.10 i.e we do not need to create STAIC SOURCE NAT. This also allows SERVER to be the intiator f as well . 

     

    Now we take this scenario and apply on SRX:

     

    Server 10.10.10.10--10.10.10.1--ZONE A-F1--SRX--F2 -ZONE B

     

    Assume all traffic is allowed from Zone B to Zone A and vice versa

     

    SRX is configured to  perform Static destination NAT where all traffic received from ZONE B and destined to 199199.199.10, will have destination IP natted to 10.10.10.10

     

    Questions:

    1) Do we need to configure SOURCE NAT for return traffic? I believe we do not, but I just want to confirm. 

     2)  This Static NAT ( destination)  creats static entry in NAT table, does it also mean Server 10.10.10.10 can also initiate traffic to Internet  i.e Server is the intiator  i.e for such tarffic SRC IP will be  natted to 199.199.199.10 . The key word is" Intiator"

     

    Am I correct or missed something?

     

     

    Thanks

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     



  • 2.  RE: STATIC DESTINATION NAT Question
    Best Answer

    Posted 09-28-2017 22:15

     

    Questions:

    1) Do we need to configure SOURCE NAT for return traffic? I believe we do not, but I just want to confirm. 

     

    No.

     2)  This Static NAT ( destination)  creats static entry in NAT table, does it also mean Server 10.10.10.10 can also initiate traffic to Internet  i.e Server is the intiator  i.e for such tarffic SRC IP will be  natted to 199.199.199.10 . The key word is" Intiator"

     Yes.

    Am I correct or missed something?

     You are correct, you have not missed anything. To confirm, here is some links for you:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-static-understanding.html

    https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-static-rule-understanding.html

     

    For additional extensive information:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-security-rule-set-and-rule-understanding.html

     



  • 3.  RE: STATIC DESTINATION NAT Question

    Posted 09-29-2017 07:17

    Appreciated Lyndidon,

     

    Have a nice weekend!!