SRX

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Source NAT ICMP application in SRX240

    Posted 05-12-2014 00:20

    Hi,

     

    i would like to know the effect of the below commands. My aim is to get icmp packets nated in SRX240 form Private IP ot a Public IP. was this commands gives me the result ?

     

    set security nat source rule-set xxx rule xxx match source-address x.x.x.x/x
    set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0
    set security nat source rule-set xxx rule xxx match protocol icmp
    set security nat source rule-set xxx rule xxx then source-nat interface

     

    Policy required for this is already defined.

     

    can any one help in this ?

     

    Thanks,

    Mahesh.


    #icmp
    #SRX240NAT
    #NAT


  • 2.  RE: Source NAT ICMP application in SRX240
    Best Answer

    Posted 05-12-2014 00:38

    Hi Mahesh,

     

                      The NAT policy seems to be fine. Let me give you more inside to it

     

    Ex:

    Client_ 192.168.1.2/24  --------- [ 192.168.1.1/24; Zone: Turst ---SRX-----Zone: Untrust; 200.200.200.2]---------Internet

     

    To get client ip subnet natted below configuration should do

    set security nat source rule-set xxx from zone trust

    set security nat source rule-set xxx to zone untrust

    set security nat source rule-set xxx rule xxx match source-address 192.168.1.1/24

    set security nat source rule-set xxx rule xxx match destination-address 0.0.0.0/0

    set security nat source rule-set xxx rule xxx match protocol icmp

    set security nat source rule-set xxx rule xxx then source-nat interface

     

    To allow ICMP flow following policy needed

    set security zones security-zone trust address-book address client_192.168.1.1 192.168.1.1/24

    set security policies from-zone trust to-zone untrust policy icmp_allow match source-address client_192.168.1.1

    set security policies from-zone trust to-zone untrust policy icmp_allow match destination-address any

    set security policies from-zone trust to-zone untrust policy icmp_allow match application junos-icmp-all

    set security policies from-zone trust to-zone untrust policy icmp_allow then permit

     

    I hope this helps you.

     

    Thanks

    SHKM



  • 3.  RE: Source NAT ICMP application in SRX240

    Posted 05-12-2014 01:01

    Thank You SHKM. 

     

    i will let you know once i impliment this statements.

     

    Thanks,

    Mahesh.



  • 4.  RE: Source NAT ICMP application in SRX240

    Posted 05-12-2014 01:28

    Sure, and you're welcome Mahesh!



  • 5.  RE: Source NAT ICMP application in SRX240

    Posted 05-12-2014 03:49

    The above config part has been implimented and it got resolved.

     

    Thanks,

    Mahesh.



  • 6.  RE: Source NAT ICMP application in SRX240

    Posted 05-12-2014 03:52

    Ok good to hear! thanks for posting the result!