Ingenious Champions

  • 1.  SSG

    Posted 10-01-2017 23:40

    hello Camps,

     

    it will highly appriciated if any ingenious help to me to convert SSG configuration in to SRX

     

    set policy id 182 from "Untrust" to "DMZ" "Any" "MIP(107.9.182.64)" "HTTPS" permit log count
    set policy id 182
    set dst-address "MIP(107.9.182.76)"
    exit

     

    set policy id 366 from "Untrust" to "DMZ" "Wifi-Public" "MIP(107.9.182.75)" "HTTPS" permit log
    set policy id 366 disable
    set policy id 366
    set dst-address "MIP(107.9.182.76)"
    set service "PING"
    exit

     

    Thanks



  • 2.  Re: SSG

    Posted 10-09-2017 12:00

    The equivalent of a ScreenOS Mapped IP (MIP) in JUNOS is called 'Static NAT'. Unlike ScreenOS, JUNOS on SRX separates NAT rules from security policies. You'll first need to define the static NAT rules and then reference the static NAT address-book entry in your security policy. Something like this -- 

     

    set security nat static rule-set rs1 from zone untrust

    set security nat static rule-set rs1 rule r1 match destination-address 203.0.113.200/32

    set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32

    set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

    set security address-book global address server-1 192.168.1.200/32

     

    Static NAT is by default a 1:1 mapping. If you need to use a single external IP mapped that NATs to different internal IPs, you'll want to review this -- 

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/example-static-nat-port-mapping-configuring.html

     

    Here's the comprehensive guide to NAT on SRX --

     

    https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-nat.pdf