Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: 1-to-1 NAT setup to untrust /24?

$
0
0

Okay, so here's what I have:

[edit security nat source]
set pool src-nat-pool20 address 10.20.1.10 to 10.20.1.249
set rule-set 20 from zone 20
set rule-set 20 to zone untrust
set rule-set 20 rule 20 match source-address 0.0.0.0/0
set rule-set 20 rule 20 match destination-address 0.0.0.0/0
set rule-set 20 rule 20 then source-nat pool src-nat-pool20

[edit security nat]
set proxy-arp interface ge-0/0/0.0 address 1.2.3.2 to 1.2.3.5

[edit security policies from-zone 20 to-zone untrust]
set policy 20 match source-address any destination-address any application any
set policy 20 then permit

But now when I head to the LAN port on a downstream router that encapsulates vlan-20, I can't get to the Internet. OTOH, when I ping my downstream router IP from my SRX, it responds, which tells me I *think* that my firewall rules aren't set up right to pass traffic to upstream public statics, is that right? Like I need some policy from untrust to 20? Here's what I have for that:

from-zone untrust to-zone 20 {
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}

Feels like I might be getting close?


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>