Hi there!
I have some trouble to understand how junos handle source nat combined with security policies.
I'm a former netscreen user and therefore not quite familiar with the source nat on mym new srx.
To get things straight:
On my old ssg520 netscreen driven juniper I had some policies with egress interface nat.
For instance:
netscreen:
set policy id 100 from "trust" to "untrust" "192.168.1.10/32" "1.1.1.1/32" "smtp" nat src permit log <- NAT
set policy id 101 from "trust" to "untrust" "192.168.1.0/24" "192.168.2.0/24" "any" permit log <- no NAT
set policy id 102 from "trust" to "untrust" "192.168.1.20/32" "8.8.8.8/32" "dns" nat src permit log <- NAT
set policy id 103 from "trust" to "untrust" "192.168.1.0/24" "any" "HTTP, HTTPS" nat src permit log <- NAT
My junos config:
root@srx_1# show security nat source rule-set trust_to_untrust
from zone trust;
to zone untrust;
rule trust_nat {
match {
source-address 192.168.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
Policy:
policy 100 {
match {
source-address 192.168.1.10/32;
destination-address 1.1.1.1/32;
application junos-smtp;
}
then {
permit;
log {
session-init;
}
}
}
policy 101 {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
application any;
}
then {
permit;
log {
session-init;
}
}
}
policy 102 {
match {
source-address 192.168.1.20/32;
destination-address 8.8.8.8/32;
application junos-dns;
}
then {
permit;
log {
session-init;
}
}
}
policy 103 {
match {
source-address 192.168.1.0/24;
destination-address any;
application [ junos-http junos-https];
}
then {
permit;
log {
session-init;
}
}
}
So, my question is: How does junos decide when to use NAT?
Thanks so much in advance! My head hurts already 😉