Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  NAT static 1-1 not work from outsite-insde

    Posted 09-01-2021 05:41
    Hi guys,

    I am testing NAT 1-1 on vSRX firewall with topology like that:


    I set up NAT rule like that  (so when connect from Untrust to 192.168.93.10, it should  NAT to 10.1.1.20, And when 10.1.1.20 connect to Untrust, it would source NAT to 192.168.93.10.

    set security nat source rule-set Zone_trust-Zone_untrust from zone trust
    set security nat source rule-set Zone_trust-Zone_untrust to zone untrust
    set security nat source rule-set Zone_trust-Zone_untrust rule LAN_WAN match source-address 0.0.0.0/0
    set security nat source rule-set Zone_trust-Zone_untrust rule LAN_WAN then source-nat interface
    set security nat static rule-set StaticNat from zone untrust
    set security nat static rule-set StaticNat rule staticNat match destination-address 192.168.93.10/32
    set security nat static rule-set StaticNat rule staticNat then static-nat prefix 10.1.1.20/32
    set security nat proxy-arp interface ge-0/0/0.0 address 192.168.93.10/32 to 192.168.93.10/32

    But When I testing, the PC 10.1.1.20 can ping to outside (untrust) and source IP NATed to 192.168.93.10. But from outside (untrust) I ping to 192.168.93.10, it failed. Please help!

    This is security policy config:
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
    set security policies from-zone untrust to-zone trust policy staticNAT match source-address any
    set security policies from-zone untrust to-zone trust policy staticNAT match destination-address client
    set security policies from-zone untrust to-zone trust policy staticNAT match application any
    set security policies from-zone untrust to-zone trust policy staticNAT match dynamic-application any
    set security policies from-zone untrust to-zone trust policy staticNAT match url-category none
    set security policies from-zone untrust to-zone trust policy staticNAT then permit
    set security policies from-zone untrust to-zone trust policy staticNAT then log session-init
    set security policies from-zone untrust to-zone trust policy staticNAT then log session-close
    set security policies from-zone untrust to-zone trust policy staticNAT then count

    ------------------------------
    marks
    ------------------------------


  • 2.  RE: NAT static 1-1 not work from outsite-insde

    Posted 09-01-2021 06:00
    Ensure that the "destination client" is mapped to  the internal ip 10.1.1.20/32 and remove dynamic-application any from untrust policy or make it none.