root@SRX01# show security nat destination rule-set dst-nat rule att_machine
match {
destination-address 1.1.1.1/32;
destination-port {
90;
}
}
then {
destination-nat {
pool {
attendance_machine;
}
}
}
------------------------
root@SRX01# show security nat destination pool attendance_machine
address 192.168.10.32/32 port 90;
---------------------
root@KIAL-SRX01# show security nat proxy-arp
interface ge-0/0/4.0 {
address {
1.1.1.1/29;
}
}
-----------------------
root@SRX01# run show security policies policy-name att_machine_DNAT
node1:
--------------------------------------------------------------------------
From zone: external, To zone: internal
Policy: att_machine_DNAT, State: enabled, Index: 24, Scope Policy: 0, Sequence number: 3
Source addresses: any
Destination addresses: 192.168.10.32, 1.1.1.1
Applications: 90-TCP, junos-icmp-all, junos-icmp-ping, junos-ping
Action: permit, log
------------------------------
Charles
------------------------------
Original Message:
Sent: 05-29-2021 09:06
From: STEVE PULUKA
Subject: DNAT with secondary IP
Can you share the config for review on all the elements?
not the the rule order does matter as well so be sure the policy is in a position to not be overridden by previous matches. And the order of the nat rules as well.
You can also look to see if the session and nat are recognized on the srx with looking at how the source traffic is seen in the session table. This will confirm which rule matches the traffic and what nat occurs.
show security flow session source-prefix 10.1.1.1/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 05-29-2021 06:42
From: Charles
Subject: DNAT with secondary IP
Thank you @spuluka
ofcourse those two are already there.
------------------------------
Charles
Original Message:
Sent: 05-29-2021 05:34
From: STEVE PULUKA
Subject: DNAT with secondary IP
Proxy arp is just one element of the process. You also need a destination nat rule and a security policy to permit the traffic.
See the details starting on page 9 of this examples document.
https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 05-28-2021 10:30
From: Charles
Subject: DNAT with secondary IP
We are using SRX100 firewall. Need to DNAT using secondary WAN IP.
ISP/WAN interface configured with IP 1.1.1.1/29 (eg ip)
Need to DNAT traffic coming to 1.1.1.2 port 80 to 192.168.60.62
I configured DNAT and added proxy-arp as per this doc [SRX] When and how to configure Proxy ARP - Juniper Networks
Still DNAT is not working. Can anyone help get the DNAT working.
------------------------------
Charles
------------------------------