SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  STATIC NAT rules evaluations on SRX

    Posted 05-05-2018 14:27

    Hi everyone,

    Let say we have following static nat config;

    SRX ge1/1/1-----(EXTERNAL ZONE)

    set security nat static nat rule-set  TEST from zone EXTERNAL

    set security nat static nat rule-set  TEST rule R1 match destination-address 199.199.199.1/32

    set security nat static nat rule-set  TEST rule R1 then static nat prefix 10.10.10.1/32

    set security nat static nat rule-set  TEST rule R2 match source-address 200.200.200.1/32

    set security nat static nat rule-set  TEST rule R2 match destination-address 199.199.199.1/32

    set security nat static nat rule-set  TEST rule R2 then static nat prefix 10.10.10.1/32

     

    SRX receives traffic on g1/1/1 src ip 200.200.200.1 dst ip 199.199.199.1.

    What rule SRX use to match? R1 because it is first rule or Rule R2 beause it is more specific? In other words, when evaluating NAT rules, does order matter or more specific rule will be chosen regardless of order?

     

    2) If the above is also true for Source Nat, destination NAT?

     

    Thanks and have a nice weekend

     

     



  • 2.  RE: STATIC NAT rules evaluations on SRX
    Best Answer

    Posted 05-05-2018 17:34

    Static nat is a one-to-one mapping of two ip addresses for both flow directions zone to zone.

    The configuration above will not commit due to the overlap in ip address match.

     

    Source and destination nat you can do more nuanced rules like these.  But you do have to place the address into a pool object instead of declaring it directly.

     

    nat examples

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf