SRX

Expand all | Collapse all

Lan1 to Lan2 Nat config

Jump to Best Answer
  • 1.  Lan1 to Lan2 Nat config

    Posted 10-25-2017 07:18

    Hi

    I have 2 interfaces setup ge-0/0/1 is where most of my network servers are. I need when some devices go from ge-0/0/1  to ge-0/0/2 they appear to be coming from a 10.1.1.0 address. I also need when devices on ge-0/0/2 communicate to specific 10.1.1.x addresses that its sent to  ge-0/0/1 and to a 192.168.1.x device.

     

    Interface ge-0/0/1 = 192.168.1.0/24 inside_lan

    Server A = 192.168.1.100    alias to be set on srx = 10.1.1.220

    Server B = 192.168.1.101    alias to be set on srx = 10.1.1.221

     

    Interface ge-0/0/2 = 10.1.1.0/24 inside_lan2

    Server C = 10.1.1.200

    Server D = 10.1.1.201

     

    So if Server A sent traffic to Server C, I would want a flow like:

    192.168.1.100 on ge-0/0/1 > Translate 192.168.1.100 to 10.1.1.220> ge-0/0/2 > 10.1.1.200

     

    Server C would beleive that it was receiving traffic off 10.1.1.220. So the reverse would also need to be in place for when Server C trys to contact server A.

    10.1.1.200 ge-0/0/2 > Translate 10.1.1.220 to 192.168.1.100 > ge-0/0/1 > 192.168.1.100

     

    I think this can be done all in NAT rules something like the below?

    nat {static {

    rule-set inside_lan2 {
    from zone inside_lan2;
    rule 1 {
    description SIP1;
    match {
    destination-address 10.1.1.220/32;}
    then {
    static-nat {
    prefix {
    192.168.1.100/32;}}}}

     

     

    As for the policy I currently have the below policy but I think I need to put zone inside_lan2 in here as well?:

    policy inside-zone-outbound {
    match {
    source-address any;
    destination-address any;
    application any;
    from-zone inside_lan;
    }
    then {permit;}}

     

    Please be gentle I'm a newbie!


    #JUNOS
    #SRX
    #NAT


  • 2.  RE: Lan1 to Lan2 Nat config

    Posted 10-25-2017 22:17

    Hi,

    You have to configure proxy-arp for the IP 10.1.1.220/32 and regarding policy, If you need bi-directional traffic flow, you have to create two policy: one from Inside_Lan to Inside_Lan2 and second one from Inside_Lan2 to Inside_Lan.

     



  • 3.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 01:17

    So this and..

    [edit security nat proxy-arp]
    interface reth3.0 {
    address {
    10.1.1.0/24;}}

     

    and this?

     

    policy inside2-zone-outbound {
    match {
    source-address any;
    destination-address any;
    application any;
    from-zone inside_lan2;
    }
    then {permit;}}

     

     



  • 4.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 01:45

    Hi,

     

    There is no need to configure proxy-arp for entire /24 network. Enable it only for the natted IP 10.1.1.220/32.

    I hope you are using global policy. If yes, one policy is enough and in that policy you can match both zones (Inside_Lan and Inside_Lan2)



  • 5.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 02:22

    Ok,

     

    So this would be ok policy wise?

     

    policy inside2-zone-outbound {
    match {
    source-address any;
    destination-address any;
    application any;
    from-zone [ inside_lan inside_lan2 ];
    }
    then {permit;}}



  • 6.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 02:29

    yes!



  • 7.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 06:15

    Excellent it works! In regards to the proxy-arp if I want more servers in there do I need to add individually like below?:

     

    interface reth3.0 {
    address {
    10.1.1.220/32;

    10.1.1.221/32;
    }
    }



  • 8.  RE: Lan1 to Lan2 Nat config
    Best Answer

    Posted 10-26-2017 06:30

    Hi,

    There are two methods to configure proxy-arp:

    First method is just like you mentioned; configure proxy arp for each address

    Second method, if the address are contiguous, address range can be used:

    set security nat proxy-arp interface reth3.0 address 10.1.1.220/32 to 10.1.1.225/32



  • 9.  RE: Lan1 to Lan2 Nat config

    Posted 10-26-2017 06:33

    Thanks!