I apologize for the long winded email but I want to provide as much info as possible to get this concept straight.
Please consider following cases:
CASE1: STATIC NAT (Only Changing destination IP)
H1 184.108.40.206/24--------220.127.116.11/24 -F1 SRX F2 -10.10.10.1-------10.10.10.2 SERVER
F1 in Zone A
F2 in Zone B
All traffic from H1 destined to Server enters F1 on SRX with destination IP 18.104.22.168
SRX has a Static NAT where we change destination 22.214.171.124 to 10.10.10.2 and route it to Server.
Traffic from H1 to Server:
From Server to H1
What will happen next NAT or Security Policy evaluation?
If NAT occurs first, i.e. SRC IP 10.10.10.2 replaced by 126.96.36.199 then Security Policy evaluation, then we have an issue:
188.8.131.52 Is not configured on any interface on SRX so we cannot determine Zone for Security policy.
If Security Policy occurs first, will the Zones for Security Policy determined based on PRE NAT IP i.e SRC IP 10.10.10.2 destination IP 184.108.40.206?
Case2: (Only Changing SRC IP)
H1 220.127.116.11/24--------18.104.22.168/24 F1 SRX F2 10.10.10.1-------10.10.10.2 SERVER
All traffic from H1 must reach Server with SRC IP 10.10.10.10
Traffic with SRC IP 22.214.171.124, destination IP 10.10.10.2 enters F1 on SRX.
Based on Order of operation diagram show below, NAT occurs first
On SRX we have NAT rule that says all traffic from ZONE A must have SRC NATTED to 10.10.10.10
Based on the Diagram above, Zones for Security Policies are determined on POST NAT IP i.e. SRC IP 10.10.10.10 Right?
Traffic with SRC IP 10.10.10.2 destination IP 10.10.10.10 enters F2 on SRX.
What will happen next?
Will SRX first perform NAT i.e. destination IP 10.10.10.10 is replaced by 126.96.36.199 then Security Policy evaluation, if yes, are Security Zones determined based POST NAT IP?
Security Policy evaluation first then NAT if yes, are Security Zones determined based on PRE NAT IP?
Thanks and have nice weekend!!
When doing destination nat this is evaluated before security policy check.
When doing source nat security policy check is before nat address change.
Security policy is only needed in the direction zone to zone of the initiator of that traffic. Return packets will match this existing flow and will not be evalutated against new policies but the existing flow match.
Static nat is slightly different, this applies source translation from the device out when a match occurs inside to outside. And will apply desitination nat to the flow when the traffic direction is outside to inside on the same rule. Static nat is a convenience to prevent having to create two nat rules, one for source out and another for destination in. This creates a static mapping for an internal address to an external one. This also means you cannot then share this external address across multiple internal servers splitting out the ports.
Thanks for your response.
H1 188.8.131.52--184.108.40.206 F1 SRX-F2 10.10.10.2----10.10.10.10 SERVER
where 220.127.116.11 destination IP is mapped to 10.10.10.10 using STATIC NAT on SRX:
If we are sure traffic H1 will always be intiator then we do not need Security Poicy for return traffic as you mentioned return traffic will be matched to existing flow.
On the other hand, if server has to intiate traffic, that means we need Security policy BASED ON pre nat ip, however return traffic i.e host to server, does not need any security policy as it will match existing flow.
Did I get it right?
Have a nice weekend!!