SRX

last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Problem with source nat - srx240

    Posted 11-25-2014 06:35

    Hi there!

     

    I have some trouble to understand how junos handle source nat combined with security policies.

    I'm a former netscreen user and therefore not quite familiar with the source nat on mym new srx.

    To get things straight:

    On my old ssg520 netscreen driven juniper I had some policies with egress interface nat.

    For instance:

     

    netscreen:

    set policy id 100 from "trust" to "untrust"  "192.168.1.10/32" "1.1.1.1/32" "smtp" nat src permit log <- NAT

     

    set policy id 101 from "trust" to "untrust"  "192.168.1.0/24" "192.168.2.0/24" "any" permit log <- no NAT

     

    set policy id 102 from "trust" to "untrust"  "192.168.1.20/32" "8.8.8.8/32" "dns" nat src permit log <- NAT

     

    set policy id 103 from "trust" to "untrust"  "192.168.1.0/24" "any" "HTTP, HTTPS" nat src permit log <- NAT

     

     

    My junos config:

    root@srx_1# show security nat source rule-set trust_to_untrust 

    from zone trust;

    to zone untrust;

    rule trust_nat {

        match {

            source-address 192.168.1.0/24;

            destination-address 0.0.0.0/0;

        }

        then {

            source-nat {

                interface;

            }

        }

    }

     

    Policy:

    policy 100 {

        match {

            source-address 192.168.1.10/32;

            destination-address 1.1.1.1/32;

            application junos-smtp;

        }

        then {

            permit;

            log {

                session-init;

            }

        }

    }

     

    policy 101 {

        match {

            source-address 192.168.1.0/24;

            destination-address 192.168.2.0/24;

            application any;

        }

        then {

            permit;

            log {

                session-init;

            }

        }

    }

     

    policy 102 {

        match {

            source-address 192.168.1.20/32;

            destination-address 8.8.8.8/32;

            application junos-dns;

        }

        then {

            permit;

            log {

                session-init;

            }

        }

    }

     

    policy 103 {

        match {

            source-address 192.168.1.0/24;

            destination-address any;

            application [ junos-http junos-https];

        }

        then {

            permit;

            log {

                session-init;

            }

        }

    }

     

     

    So, my question is: How does junos decide when to use NAT?

    Thanks so much in advance! My head hurts already 😉

     



  • 2.  RE: Problem with source nat - srx240
    Best Answer

    Posted 11-25-2014 10:44

    Hi MetzingerAn,

     

     

    On SRX , flow architecture decides when nat is applied to the traffic.

     

     

    For source Nat , it is after security policy lookup  but destination nat and static nat happens before policy lookup.

     

    Below KB explains about the flow in details:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

     

     

    Regards

     

    rparthi

     

     

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     

     

     

     



  • 3.  RE: Problem with source nat - srx240

    Posted 11-26-2014 01:41

    Hi rparthi!

     

    I think I go with the NAT-OFF option for the networks/hosts without NAT.

    Thanks for your reply!

     

    Cheers

     

    Andy