Hope someone can give me some idea about the NAT configuration in double firewalls scenario
internet <-> 1st firewall <-> 2nd firewall <-> internal
1st firewall is vSRX and 2nd firewall is a palo alto physical device
So far, the static NAT configuration to a FTP server in the internal zone can successfully reach from internet.
What left is the Dynamic IP and Port NAT for internal user to reach internet.
NAT on 2nd firewall was done by DIPP on palo alto device. Internal user can reach the zone between the 2 firewalls.
Now I think I need to make NAT on vSRX for the internal user to reach internet.
Should I use "nat static" or "nat source" or any other nat type in this case?
I can understand that you need perform the NAT along with PAT vSRX for the internal user who can reach internet. I recommend you to configure the source NAT. This would help you to translate the a contiguous block of addresses to another block of addresses of the same size or smaller size.
You can refer the below link to configure the same :
Static NAT is used in the scenarios when you need one-to-one mapping of the IP addresses to perform bidirectional NAT. YOu can refer the below link for better understanding:
Kindly let me know if you face any issue I would help you.
[KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
If FW2 has a link to internet, I assume firewall two has a public IP. Is that correct?
If that is the case, is there a specific reason not to do source nat of FW2?
Note:- Document link given by rsurana is still valid if you want to do NAT on FW-1
Only FW1 is link to internet. FW2 is behind FW1.