vSRX

Expand all | Collapse all

Double firewalls (not HA) NAT scenario

Jump to Best Answer
  • 1.  Double firewalls (not HA) NAT scenario

    Posted 08-15-2018 03:20

    Hope someone can give me some idea about the NAT configuration in double firewalls scenario

    internet <-> 1st firewall <-> 2nd firewall <-> internal

     

    1st firewall is vSRX and 2nd firewall is a palo alto physical device

    So far, the static NAT configuration to a FTP server in the internal zone can successfully reach from internet.

    What left is the Dynamic IP and Port NAT for internal user to reach internet.

     

    NAT on 2nd firewall was done by DIPP on palo alto device. Internal user can reach the zone between the 2 firewalls.

    Now I think I need to make NAT on vSRX for the internal user to reach internet.

    Should I use "nat static" or "nat source" or any other nat type in this case?



  • 2.  RE: Double firewalls (not HA) NAT scenario
    Best Answer

     
    Posted 08-15-2018 05:57

    Hi Jlotag,

     

    I can understand that you need perform the NAT along with PAT vSRX for the internal user who can reach internet. I recommend you to configure the source NAT. This would help you to translate the a contiguous block of addresses to another block of addresses of the same size or smaller size.

     

    You can refer the below link to configure the same :

    # https://www.juniper.net/documentation/en_US/junos/topics/topic-map/nat-security-source-and-source-pool.html

     

    Static NAT is used in the scenarios when you need one-to-one mapping of the IP addresses to perform bidirectional NAT. YOu can refer the below link for better understanding:

     

    # https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html

     

    Kindly let me know if you face any issue I would help you.

     

    Regards,

    Rishi

    JTAC

    [KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 3.  RE: Double firewalls (not HA) NAT scenario

     
    Posted 08-15-2018 18:37

    Hello,

     

    If FW2 has a link to internet, I assume firewall two has a public IP. Is that correct?

    If that is the case, is there a specific reason not to do source nat of FW2?

     

    Note:- Document link given by rsurana is still valid if you want to do NAT on FW-1

     

    Regards,

     

    Rushi



  • 4.  RE: Double firewalls (not HA) NAT scenario

    Posted 08-16-2018 00:04

    Hello rtilak,

    Only FW1 is link to internet. FW2 is behind FW1.