SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  NAT configuration help on SRX

    Posted 07-12-2009 03:35

    any document available online, which i can use for NAT configuration likr source-nat, destination-nat etc. example and details.

     

    --ash



  • 2.  RE: NAT configuration help on SRX
    Best Answer

    Posted 07-12-2009 03:37

    http://www.juniper.net/us/en/products-services/security/srx-series/srx5600/

     

    please check above link, go under tab - "literature" it has pdf available for NAT configuration on srx and j-series

     

    please let me know if you find difficulty configuration NAT.

     

    thanks

    Raheel Anwar

     



  • 3.  RE: NAT configuration help on SRX

    Posted 10-16-2009 04:06

    hello 

     

    i have a problem with nat, if i use the conversion tool from SCREENOS to JUNOS i see that the nat configuration is applied int the policie set:

     

     policy 38 {

                    match {

                        source-address delegations

                        destination-address untrust

                        application HTTP_HTTPS_FTP_GET

                    }

                    then {

                        permit {

                            firewall-authentication {

                                pass-through

                            }

                            source-nat {

                                interface

                            }

                        }

                        count

                    }

                }

     

    if i try to put this configuration in CLI, the  source-nat interface is not a possibility. i have to configure the nat rule on security-->NAT--Source hierarchy and a policy to match the traffic? i don´t understand what's the correct way in order to configure a source nat interface, it's necessary a policy and a NAT rule-set? it's possible to say in NAT rule-set source/destination address and an application to match?

     

    thanks and regards 



  • 4.  RE: NAT configuration help on SRX

    Posted 10-16-2009 04:56

    Hi jmartinez,

     

    the config is indeed wrong. You have to configure both nat-rules and policy.

    If you are familiar wit screenos nat you'll like this application note with config examples:

    http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf

     

    best regards

    Thorsten

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
    A kudo would be cool if you think I earned it.

     


    #NAT
    #SRX


  • 5.  RE: NAT configuration help on SRX

    Posted 10-19-2009 00:50

    Thanks for reply optimist, i'll check this pdf.

     

    regards. 



  • 6.  RE: NAT configuration help on SRX

    Posted 05-11-2010 20:34

    I'm a bit confused as to why this statement is needed (from http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf and all the other app notes I've read about static NAT):

     

    set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32

     

    After talking to some colleagues who work with Cisco and Linux-based routers, it seems like the default behavior is for the arp tables to be built automatically based on the NAT rules on those routers. Is that not the case in Junos, or is there something specific to static NAT going on? I noticed that the proxy-arp statement is neccessary for source NAT as well.


    #static
    #proxy.arp
    #proxy-arp
    #NAT
    #SRX


  • 7.  RE: NAT configuration help on SRX

    Posted 05-12-2010 00:11

    Hi,

     

    you are right. JUNOS does, by default, only respond to ARP queries for IP addresses that are directly configured on the interfaces. If you use NAT with different IPs, you have to manually enable ARP responses by issuing the proxy-ARP command you mentioned.

     

    It was also the ScreenOS behavior to do this automatically, at least for MIP, VIP and DIP objects. Not in case you were using destination NAT.

     

    I don't know the reasons why you have to do this manually. A possible explanation would be that in case you define your NAT rules based on zones and you have more than one interface in that zone, JUNOS would not know on what interface you would like to respond to ARP queries. There might be other reasons too.

     

    In fact it is one of these thing you don't care about if you know it. I agree, that this is a little bit unfamiliar for many that come from different firewall systems.

     

    Regards,

    Dominik