Scribd
Upload
179 views

Static NAT in SRX

The document discusses configuring static NAT on an SRX firewall to translate between the 192.168.211.16/28 and 192.168.250.32/28 networks. It covers creating static NAT and policy rules, and also enabling proxy ARP to allow traffic to pass. The static NAT provides a one-to-one mapping between addresses in the two networks.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
179 views

Static NAT in SRX

The document discusses configuring static NAT on an SRX firewall to translate between the 192.168.211.16/28 and 192.168.250.32/28 networks. It covers creating static NAT and policy rules, and also enabling proxy ARP to allow traffic to pass. The static NAT provides a one-to-one mapping between addresses in the two networks.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Static NAT in SRX

Todays post is about static NAT configuration in SRX firewall. I have the following topology
and aim is to translate IP network 192.168.211.16/28 to 192.168.250.32/28 and vice versa.

JGW1 SRX has 192.168.250.1 in its uplink zone facing interface and 192.168.211.1 in trust zone
facing interface
and the static nat configuration for this setup is as follows;
[edit]
root@JGW1# show security na
static {
rule-set stat-rs1 {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[edit]
root@JGW1# show security nat
static {
rule-set stat-rs1 {
from zone uplink;
rule rule_for_ubuntus {
match {
destination-address 192.168.250.32/28;
}
then {
static-nat {
prefix {
192.168.211.16/28;
}
}
}

17
18
19

}
}
}
What this configuration really mean is:

Match the traffic arriving at uplink zone

If destination address is within 192.168.250.32/28 subnet

Then replace destination IP address with one of the address within 192.168.211.16 subnet

but with which address to replace? static NAT requires an exact match if you destination address
has 28 bit, your static-nat prefix should also be 28 bit and replacement is done as follows;
192.168.250.33 -> 192.168.211.17
192.168.250.34 -> 192.168.211.18
I think no need to write the rest. It is one by one. The good thing about static nat is reverse static
nat is also done automatically for you which means;
192.168.211.17 -> 192.168.250.33
192.168.211.18 -> 192.168.250.34
If any packet leaving SRX with IP address 192.168.211.17 is replaced by 192.168.250.33
In addition to this we shouldnt forget security policy configuration of course;
[edit]
root@JGW1# show security po
from-zone trust to-zone uplink {
policy ubuntu-net-access {

1
2
3
4
5
6
7
8
9
10
11

[edit]
root@JGW1# show security policies
from-zone trust to-zone uplink {
policy ubuntu-net-access {
match {
source-address ubuntu-net;
destination-address any;
application any;
}
then {
permit;

12
13
14

}
}
}
*ubuntu-net is an address-book entry in the associated zone
If you have configured so far, you will see that ubuntu3 host still cannot reach outside network
why? the thing is SRX doesnt reply to arp requests for 192.168.250.32/28 range. We must tell it
to do so specifically by configuring proxy-arp as follows;
[edit security nat proxy-arp]
root@JGW1# show
interface ge-0/0/0.0 {
address {

1
2
3
4
5
6
7

[edit security nat proxy-arp]


root@JGW1# show
interface ge-0/0/0.0 {
address {
192.168.250.32/28;
}
}
*ge-0/0/0.0 is the uplink zone facing interface
Once you configure proxy arp, your ubuntu should be able to reach out.
You will see that IP 192.168.211.20 is replaced by 192.168.250.36. What does this mean? This
means if you set up the reverse security policies any traffic destined to 192.168.250.36 will be
forwarded to 192.168.211.20 automatically.
One thing that you should keep in mind is that there is no port translation in this type of NAT
because of which you have relatively limited space.
Below is also my show command output;
root@JGW1> show security na
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-pr

1
2
3
4

root@JGW1> show security nat static rule all


Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

5
6
7
8
9
10
11
12
13

Static NAT rule: rule_for_ubuntus Rule-set: stat-rs1


Rule-Id
:2
Rule position
:1
From zone
: uplink
Destination addresses
: 192.168.250.32
Host addresses
: 192.168.211.16
Netmask
: 28
Host routing-instance
: N/A
Translation hits
: 807
If there is any point not clear for you, please send your comment!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy