[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Configuring Source NAT on SRX-series Services Gateways

When performing source Network Address Translation, source pools provide JUNOS software with a supply of addresses from which to draw. When a NAT rule requires NAT and references a specific source pool, JUNOS software draws addresses from that pool when translation is performed. For SRX-series devices (unlike J-series), NAT is de-coupled from policies. SRX-series NAT has its own NAT rules to regulate traffic and to perform address translation.

Note: When performing source NAT on SRX-series devices, security policies are applied first and then the address in question is translated according to configured NAT source rules.

Before You Begin

For background information, read:

Source NAT rules have three available actions:

Note: off is a useful command for detail control when you are configuring source NAT rules. For example, you can configure a rule that says, “if rule A is from zone1 to zone2, do source NAT.” However, you do not want to do source NAT if the traffic egresses from interface if2, which belongs to zone2. In that case, you can define a rule B, which is from zone1 to if2 with off as the source NAT action.

In this example, you perform the following tasks:

CLI Configuration

user@host# set security nat source pool spool-1 routing-instance ri-1
user@host# set security nat source pool spool-1 address 10.1.1.1
user@host# set security nat source pool spool-2 routing-instance ri-1
user@host# set security nat source pool spool-2 address 10.1.1.2
user@host# set security nat source pool spool-3 routing-instance ri-1
user@host# set security nat source pool spool-3 address 10.1.1.3
user@host# set security nat source pool spool-4 routing-instance ri-1
user@host# set security nat source pool spool-4 address 10.1.1.4
user@host# set security nat source pool spool-5 routing-instance ri-1
user@host# set security nat source pool spool-5 address 10.1.1.5
user@host# set security nat source rule-set rs1 from routing-instance ri-2
user@host# set security nat source rule-set rs1 to routing-instance ri-1
user@host#set security nat source rule-set rs1 rule r1 match destination-address 30.1.1.1
user@host# set security nat source rule-set rs1 rule r1 then source-nat pool spool-1
user@host# set security nat source rule-set rs1 rule r5 match destination-address 30.1.1.5
user@host# set security nat source rule-set rs1 rule r5 then source-nat pool spool-5
user@host# set security nat source rule-set rs2 from zone [z3 z4]
user@host#set security nat source rule-set rs2 to routing-instance ri-1
user@host# set security nat source rule-set rs2 rule r2 match destination-address 30.1.1.2
user@host# set security nat source rule-set rs2 rule r2 then source-nat pool spool-2
user@host# set security nat source rule-set rs3 from interface [fe-0/0/0.0 fe-0/0/1.0]
user@host# set security nat source rule-set rs3 to interface [ge-1/0/0.0 ge-1/0.1.0]
user@host# set security nat source rule-set rs3 rule r3 match destination-address 30.1.1.3
user@host# set security nat source rule-set rs3 rule r3 then source-nat spool-3
user@host# set security nat source rule-set rs4 from routing-instance ri-2
user@host# set security nat source rule-set rs4 to zone z2
user@host# set security nat source rule-set rs4 rule r4 match destination-address 30.1.1.4
user@host# set security nat source rule-set rs4 rule r4 then source-nat pool spool-4
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.