Re: NAT Management Traffic for multiple downstream cellular routers on management interface

Hi ,

Because fxp0 interface is outside flow module( i,e no zones, policies ,nat etc) and it is not intended for transit traffic we can not achieve this requirement . If you send any non-standard traffic on ports other than mgmt (like TCP 22,23etc) , connection will be refused . 

So , 10.10.10.254:8007 (or any other ports in your requirement)  will not be processed by SRX .   

Here is an example :

Configuration like below (destination NAT for traffic coming on fxp0 interface) will not give any commit error/warning, but it will NOT work. We might have to use a revenue port for meeting this requirement of managing multiple downstream devices with single IP address .

root@SRX345> show interfaces terse fxp0
Interface Admin Link Proto Local Remote
fxp0 up up
fxp0.0 up up inet 10.219.32.203/26

prad:~ prad$ telnet 10.219.32.203 8007
Trying 10.219.32.203...
telnet: connect to address 10.219.32.203: Connection refused
telnet: Unable to connect to remote host

root@SRX345> ...rity nat destination | display set 

set security nat destination pool Router1 address 192.168.220.7/32
set security nat destination pool Router1 address port 443
set security nat destination pool Router1ssh address 192.168.220.7/32
set security nat destination pool Router1ssh address port 22
set security nat destination pool Router2ssh address 192.168.220.8/32
set security nat destination pool Router2ssh address port 22
set security nat destination pool Router2 address 192.168.220.8/32
set security nat destination pool Router2 address port 443
set security nat destination rule-set r1 from interface fxp0.0
set security nat destination rule-set r1 rule 1 match destination-address 10.219.32.203/32
set security nat destination rule-set r1 rule 1 match destination-port 8007
set security nat destination rule-set r1 rule 1 then destination-nat pool Router1
set security nat destination rule-set r1 rule 2 match destination-address 10.219.32.203/32
set security nat destination rule-set r1 rule 2 match destination-port 2007
set security nat destination rule-set r1 rule 2 then destination-nat pool Router1ssh
set security nat destination rule-set r1 rule 3 match destination-address 10.219.32.203/32
set security nat destination rule-set r1 rule 3 match destination-port 8008
set security nat destination rule-set r1 rule 3 then destination-nat pool Router2
set security nat destination rule-set r1 rule 4 match destination-address 10.219.32.203/32
set security nat destination rule-set r1 rule 4 match destination-port 2008
set security nat destination rule-set r1 rule 4 then destination-nat pool Router2ssh

Hope this helps !

Regards,

Pradeep