SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Split source nat based on destination

    Posted 03-25-2021 16:15
    I want most traffic on ge-0/0/1 (trust) to source nat to ge-0/0/0 (Internet) unless it's destined for 10.1.10.0/24, then I want it to source nat to ge-0/0/2 / 10.1.10.29/24 and route to 10.1.10.1 gateway connected on another router. So far I have:

    [edit security nat source rule-set trust_srcnat]
    root@router# show 
    from zone trust;
    to zone [ Internet mgmt10 ];
    rule trust-mgmt10 {
        match {
            source-address 0.0.0.0/0;
            destination-address 10.1.10.0/24;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
    rule trust-src-interface {
        match {
            source-address 0.0.0.0/0;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }​


    Will this rule-set consider traffic destined for 10.1.10.0/24 first, or simply route everything per second rule? What else do I need to make this route right? I need a policy as well, but I'm trying to figure the nat first.



  • 2.  RE: Split source nat based on destination
    Best Answer

    Posted 03-25-2021 17:16
    The routing will be determined by the route table so if routing has 10.1.10.0/24 going out ge-0/0/2  then this will be the interface used for the the nat interface term.  

    Based on the config I am assuming ge-0/0/2 is mgmt10 zone and ge-0/0/20 is Internet zone.

    If that is the case then no special rule is needed at all.  As long as routing sends the traffic out the correct interface the generic all sources get nat interface translation will just work with the interface address being from the one where the traffic egresses.


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Split source nat based on destination

    Posted 03-25-2021 18:51
    Thanks, that worked :)