Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
security zones security-zone trust host-inbound-traffic system-servicesSo you could just add ssh here in the untrust zone to permit that process instead of moving the interface from one zone to another.Naturally being a security person one would never turn on ssh access to a device open to all on the public internet only in our labs.Self Traffic conceptTraffic that either terminates to the SRX or originates from the SRX is assigned to the junos-host zone. So any policy that would be created (security or nat) would be to this zone. Typically security just uses the host-inbound-traffic in general to permit what is needed but security policy would be created to narrow that using junos-host.Typically nat is not needed. When requesting outbound connections on the SRX you simply make the ping/trace/ssh request and the SRX will automatically select the interface on the SRX facing that traffic as the source address and no nat is needed.https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-zone-configuration.html