SRX

Hi!

First: Yes I read the KB about accessing internal resources using the external static NAT address (This one). But this doesn't work for me...

Here's what my config looks like:

show security nat source
pool exch_tf {
        address {
            192.168.8.13/32;
        }

rule-set exch_tf_internal {
        from zone transfair;
        to zone transfair;
        rule internal_nat {
            match {
                source-address 192.168.8.39/32;
                destination-address 192.168.8.13/32;
            }
            then {
                source-nat {
                    pool {
                        exch_tf;
                    }
                }
            }
        }
    }


static {
    rule-set static_nat {
        from zone untrust;
        rule exch_tf {
            match {
                destination-address 86.103.130.70/32;
                destination-port 443;
            }
            then {
                static-nat {
                    prefix {
                        192.168.8.13/32;
                        mapped-port 443;
                    }
                }
            }
        }
    }
}


proxy-arp {
    interface reth0.1 {
        address {
            86.103.130.69/32;
            86.103.130.70/32;
            86.103.130.71/32;
            86.103.130.72/32;
            86.103.130.73/32;
            86.103.130.74/32;
            86.103.130.75/32;
        }
    }
}


From zone: transfair, To zone: transfair
  Policy: intra_zone, State: enabled, Index: 126, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

No translation hits so far...

source NAT rule: internal_nat         Rule-set: exch_tf_internal 
  Rule-Id                    : 26  
  Rule position              : 31
  From zone                  : transfair
  To zone                    : transfair
  Match
    Source addresses         : 192.168.8.39    - 192.168.8.39
    Destination addresses    : 192.168.8.13    - 192.168.8.13
    Destination port         : 0               - 0
  Action                        : exch_tf 
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 0

What's missing?

Regards

Andy

Your destination address 192.168.8.13/32 is matching to source nat pool exch_tf. Which means when packet goes out of SRX both source and destination will be same address, which is incorrect.

Please use the interface(Which is connecting to server/destination)  IP address in source NAT pool or use interface nat

Hi Suraj.

Thank you for your quick reply!

Of course you are right! I changed the IP to the interface IP (192.168.8.110/32) - but still no translation hits when I try to access the website behind 86.103.130.70 from 192.168.8.39.

Something else I can try?

Regards

Andy

Hi Andy,

Please add below config.

set security nat static rule-set static_nat from zone transfair

commit

as per your current config, the destination/static NAT will not be working for traffic from transfair zones. It will be active for traffic from outside onliy.

Since static NAT rules is not hit, SRX willnot chnage the destination and inturn the source NAT rule will not be hit.

Hi Suraj!

You're a genius! That's it, it works.

Thank you so much for your help!

Cheers

Andy