SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source NAT processing query

    Posted 12-01-2018 06:13

    Hi all,

     

    I've found some information that says source NAT happens after route lookup, forwarding lookup and policy checks in order to 'separate the source NAT from other layer 3 processes'.

     

    Please can anyone explain what that means?

     

    Thanks



  • 2.  RE: Source NAT processing query
    Best Answer

    Posted 12-01-2018 09:51

    I assume you are reading documentation going over this SRX packet flow chart.

    SRXpacketFlow.gif

    As more fully described here.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

     

    Note where policy lookup occurs during the first packet session process above which is after forward static nat & destination nat but before source nat and reverse static nat.

     

    This has the zone to zone policy written then to the locally connected real ip addresses of devices. 

     

    Destination and forward static nat are changing  an outside public ip address to the internal assigned address of the resource.  So by doing these before policy lookup we write policy based on real resouce addresses.

     

    Likewise outbound source nat and reverse static nat are converting real internal ip addresses to the outside public address.  Thus we perform this function after the policy match so once again the policy is written to the real ip address of the resources involved.