I'm looking for a bit of help with a source NAT setup for an SRX210HE. The SRX is running Junos 11.4R2.14 with a single ISP connected to ge-0/0/0.0 (static IP). There are three zones setup; untrust, trust, and external. Untrust has ge-0/0/0.0 interface only. Trust zone has vlan.100, interfaces fe-0/0/2.0 and fe-0/0/3.0 only, for network 10.1.1.0/24. External zone has vlan.200, interfaces fe-0/0/6.0 and fe-0/0/7.0 only, for network 192.168.0.0/24. I'm doing a source NAT from trust and external to untrust (see attached txt doc).
What I thought was working well seems not to be not working properly. The traffic for trust zone computers seem to function fine (or no complaints yet). The traffic for external zone computers are having connectivity issues when browsing to Internet services (mainly http/https). From watching the flows it looks like the return traffic is not going back to the IP that made the request. So, the end users connected to external are seeing intermitant issues with pages not loading properly or not at all. A copy of one of the flows is attached for review.
After reviewing the NAT examples I've found from Juniper it seems that I may need to better define the traffic for each zone.
- Do i need to specify the network of each zone int the source-address?
- Since this is a NAT to a single IP on ge-0/0/0.0 would it be best to create a pool for each internal network in each zone?
All help is greatly appreciated. I hope a fix is possible.