SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX-240 all DMZ traffic exit specific IP

    Posted 02-03-2023 20:20
    I'm setting up a DMZ where 192.168.10.0/24 in zone dmz should nat and be seen to be coming from 1.2.3.5/27, but it's not working. If I use source nat interface it works, but just comes out 1.2.3.2/27, the default WAN connection. Here's what I have:

    set security nat proxy-arp interface ge-0/0/0.0 address 1.2.3.5/32
    set security nat source pool dmz1 address 1.2.3.5/32
    set security nat source rule-set dmz from zone dmz1
    set security nat source rule-set dmz to zone untrust
    set security nat source rule-set dmz rule  match source-address 192.168.20.0/24
    set security nat source rule-set dmz rule dmz match destination-address 0.0.0.0/0
    set security nat source rule-set dmz rule dmz then source-nat pool dmz1
    ​


  • 2.  RE: SRX-240 all DMZ traffic exit specific IP

     
    Posted 02-03-2023 21:27
    Hello,

    The config looks good to me. 
    Could be a return routing issue as well. 
    Please do check the sessions and see if session table is being built? if yes then we are not blocking anything.  
    You may take flow traces to confirm the processing of outgoing packet and incoming packet( if there is any ) 

    set security flow ​traceoptions file FLOWTRACE size 10m 

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter pf1 source-prefix x.x.x.x

    set security flow traceoptions packet-filter pf1 destination-prefix x.x.x.x

    set security flow traceoptions packet-filter pf2 source-prefix x.x.x.x

    set security flow traceoptions packet-filter pf2 destination-prefix x.x.x.x

    commit and-quit

    > show log FLOWTRACE 



    Regards,


    ------------------------------
    Brijil R
    ------------------------------



  • 3.  RE: SRX-240 all DMZ traffic exit specific IP

    Posted 02-05-2023 02:18
    Is there an advantage/disadvantage to putting 1.2.3.5 ip in a nat source pool vs. a global pool?

    I will try to test this flow soon, thanks!


  • 4.  RE: SRX-240 all DMZ traffic exit specific IP

    Posted 02-05-2023 08:43
    You can also do session checks in real time using

    show security flow session

    This can be restricted by using source-prefix, destination-prefix and other criteria.  Be sure to use pre-nat addresses.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------