Example: Configuring NAT for vSRX Virtual Firewall
This example shows how to configure vSRX Virtual Firewall to NAT all hosts behind the vSRX Virtual Firewall instance in the Amazon Virtual Private Cloud (Amazon VPC) to the IP address of the vSRX Virtual Firewall egress interface on the untrust zone. This configuration allows hosts behind vSRX Virtual Firewall in a cloud network to access the Internet.
Before You Begin
Ensure that you have installed and launched a vSRX Virtual Firewall instance in an Amazon VPC.
Overview
A common cloud configuration includes hosts that you want to grant access to the Internet, but you do not want anyone from outside your cloud to get access to your hosts. You can use vSRX Virtual Firewall in an Amazon VPC to NAT traffic inside the Amazon VPC from the public Internet.
Configuration
Configuring NAT
Procedure
Step-by-Step Procedure
To configure NAT on the vSRX Virtual Firewall instance:
Log in to the vSRX Virtual Firewall console in configuration edit mode (See Configure vSRX Using the CLI.
Set the IP addresses for vSRX Virtual Firewall revenue interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24 set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24
Set up the untrust security zone.
set security zones security-zone untrust host-inbound-traffic system-services https set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0
Set up the trust security zone.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Set up the security policies.
set security policies from-zone trust to-zone untrust policy test match source-address any set security policies from-zone trust to-zone untrust policy test match destination-address any set security policies from-zone trust to-zone untrust policy test match application any set security policies from-zone trust to-zone untrust policy test then permit
Configure NAT.
set security nat source rule-set SNAT_RuleSet from zone trust set security nat source rule-set SNAT_RuleSet to zone untrust set security nat source rule-set SNAT_RuleSet rule SNAT_Rule match source-address 0.0.0.0/0 set security nat source rule-set SNAT_RuleSet rule SNAT_Rule then source-nat interface commit