interface

ctr

Newbie

Posts: 12

interface_nat

« on: December 30, 2009, 05:03:43 AM »

Is "interface_nat_" supposed to work on SRX with JunOS 10.0?
I've read through various JunOS 10.0 guides and could not find the SRX being not supported.

Is there another way to redirect traffic directed to the dynamic IP of a external interface?


	Logged

frogmanclay

Full Member

Posts: 148

Re: interface_nat

« Reply #1 on: January 01, 2010, 06:47:35 PM »

This is what I did at my home. Works like a champ for my web server and has no impact on my other PCs internet connection. I am using an srx210 running JUNOS 9.6, but I am certain that 10 works just as good.

Hope that helps,
Clay

security {
nat {
static {
rule-set allow-web {
from interface fe-0/0/7.0;
rule r3 {
match {
destination-address x.x.x.x/32;
}
then {
static-nat prefix y.y.y.y/32;
}
}
}
}
}
}


	Logged

ctr

Newbie

Posts: 12

Re: interface_nat

« Reply #2 on: January 02, 2010, 07:16:02 AM »

I have a similar configuration running atm, the problem is that the "interface_nat_<name-of-if>" statement also works if you dont know the outside IP address which comes very handy in the case of dynamic IPs...
But it seems this is not supported by SRX atm.


	Logged

srxpap

Newbie

Posts: 2

Re: interface_nat

« Reply #3 on: January 04, 2010, 03:45:04 AM »

I'm no expert but this does the job for us:
(version 10.0R1.8;)
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}


	Logged

ctr

Newbie

Posts: 12

Re: interface_nat

« Reply #4 on: January 04, 2010, 08:11:02 AM »

This is for source nat, I'm looking for destination nat


	Logged

spingineer

Full Member

Posts: 143

Re: interface_nat

« Reply #5 on: February 16, 2010, 08:13:30 AM »

Ok, I think we all assumed you were referring to the way ScreenOS did interface nat, which is src-nat.

Did you configure proxy arp, to map the interface arp to the hidden host on the other side of the firewall?

Can you give more details about your requirement? Are you looking to nat incoming connections to a protected server? Perhaps a network topology and what it is you are trying to accomplish will clear up things.

I assume you followed the app note on nat, http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf (destination nat is near the end of the document)?


	Logged

ctr

Newbie

Posts: 12

Re: interface_nat

« Reply #6 on: February 16, 2010, 02:10:11 PM »

I.e. the example here:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-48237.html#id-48237
uses "match destination-address incoming_nat_ge-0/0/2.0" so one could dest-nat traffic without knowing the IP on that interface (which is quite common for inexpensive ISP uplinks). But this syntax seems to be unavailable for SRX.

Destination NAT is working for me right now, but I have to define a pool with the outside address. If the address changes I would have to reconfigure the pool...


	Logged

spingineer

Full Member

Posts: 143

Re: interface_nat

« Reply #7 on: February 18, 2010, 08:29:49 AM »

CTR,
I'm not sure how the "incoming_nat" feature is working for you. This is used only in VoIP implementations, like SIP or H323. This feature takes the SIP NAT sessions, maps the SIP/H323 ALG ports from private to public, so that when an incoming call comes in, it can match who the caller and DID maps to.

So it looks like what you really want is VIP Same as Untrust. What happens if you set your destination nat to 0.0.0.0/0?


	Logged

ctr

Newbie

Posts: 12

Re: interface_nat

« Reply #8 on: March 04, 2010, 06:40:04 PM »

Thats actually working fine, thanks!


	Logged

Pages: [1]

JuniperForum.com > Security > SRX Platform and J-series Enhanced Services > Topic: interface_nat

« previous next »

Latest Knowledgebase Articles

Navigation

Donate

Tools

Recent

Stats

Members

Stats

Users Online