  static nat in both directions?

    Configuring SRX240H w/ 9.6R1.13


    If I have a static nat entry configured from zone internet to zone private that translates destination to private zone, will that automatically also set the source IP of traffic from to when passing in the opposite direction?  I don't mean the return traffic on established inbound flows/sessions, I mean new outbound sessions/flows destined to anything in the internet zone.


    If not, is there an easy way to make that happen, instead of configuring duplicate reverse-direction static nat entries?






  RE: static nat in both directions?
    Best Answer

    Static NAT is bi-directional. That means that it will source-nat for to as well regardless of which direction initiates the session.



  RE: static nat in both directions?

    Thanks Richard.


    Do you happen to know if the DNS ALG will also translate DNS replies against static nat entries as well?


    ex: does a query against an internet dns server, and the reply is, will the ALG automatically change that to when it forwards the reply on to


    IOS static nat does this...

  RE: static nat in both directions?

    No, there is no nat translation for DNS payload. So if the response says, this is what the client will receive.



  RE: static nat in both directions?

    What about using Destination nat.... is there a way to do reverse NAT with destination NAT ??




    I have 2  ISP and i configure destination NAT like this:

  port 80  to port 80 port  80 to port 80


    I want that the traffic incoming from the port 80 goes out to this IP interface, the same for the traffic incoming from port 80

  RE: static nat in both directions?

    Reply for traffic coming in from one ISP should match existing session and not need to perform another route lookup. So this should work. If this is not working as expected, then I would suggest enabling flow traceoptions to see how the SRX is handling the traffic.



  RE: static nat in both directions?

    Even if i configured Destination NAT ?? it isn't working this way in my case.


  RE: static nat in both directions?

    I solve my problem already... , the problem was that the interfases were configured in different zones and when it  was trying to return the package back i received a "zone missmatch error(i saw it in the a flowtrace file". This is something that doesn't happen on the SSG (almost sure).


    my flowtrace file:


    Dec 15 18:46:13 18:46:12.987602:CID-1:RT:  route lookup: dest-ip orig ifp reth2.0 output_ifp reth1.0 orig-zone 10 out-zone 9 vsd 2
    Dec 15 18:46:13 18:46:12.987602:CID-1:RT:

    Reject route in make_nsp_ready_no_resolve. zone mismatch

    The traffic was not returning through the incoming interface.