Hi guys,
I am testing NAT 1-1 on vSRX firewall with topology like that:
I set up NAT rule like that (so when connect from Untrust to 192.168.93.10, it should NAT to 10.1.1.20, And when 10.1.1.20 connect to Untrust, it would source NAT to 192.168.93.10.
set security nat source rule-set Zone_trust-Zone_untrust from zone trust
set security nat source rule-set Zone_trust-Zone_untrust to zone untrust
set security nat source rule-set Zone_trust-Zone_untrust rule LAN_WAN match source-address 0.0.0.0/0
set security nat source rule-set Zone_trust-Zone_untrust rule LAN_WAN then source-nat interface
set security nat static rule-set StaticNat from zone untrust
set security nat static rule-set StaticNat rule staticNat match destination-address 192.168.93.10/32
set security nat static rule-set StaticNat rule staticNat then static-nat prefix 10.1.1.20/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.93.10/32 to 192.168.93.10/32
But When I testing, the PC 10.1.1.20 can ping to outside (untrust) and source IP NATed to 192.168.93.10. But from outside (untrust) I ping to 192.168.93.10, it failed. Please help!
This is security policy config:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
set security policies from-zone untrust to-zone trust policy staticNAT match source-address any
set security policies from-zone untrust to-zone trust policy staticNAT match destination-address client
set security policies from-zone untrust to-zone trust policy staticNAT match application any
set security policies from-zone untrust to-zone trust policy staticNAT match dynamic-application any
set security policies from-zone untrust to-zone trust policy staticNAT match url-category none
set security policies from-zone untrust to-zone trust policy staticNAT then permit
set security policies from-zone untrust to-zone trust policy staticNAT then log session-init
set security policies from-zone untrust to-zone trust policy staticNAT then log session-close
set security policies from-zone untrust to-zone trust policy staticNAT then count
------------------------------
marks
------------------------------