Hi,

This should technically wind up my NAT studies on SRX. I have covered most of the NAT’s and I am planning for a Mind-Map sort of thing to compose all NATs in SRX.

Double-Nat has always been a tricky aspect , majorly because we have same-subnet every-where 😉

Requirements

-> SRX supporting  virtual-Routing instances – Obviously, you cannot have same subnet belonging two different interfaces in same routing table

-> policies to allow the traffic

-> nat definitions to correctly redirect the traffic.

Topology

1_topology

Verification of zones and policies

1_zone_config

3_security_policies

Nat Definition – The routing here should be directed to next Routing instance, A miss here would prove very costly. the virtual pool will act like the destination address and also the match-address

2_nat_config

Lets verify things – See a one-to-one mapping exists, if i try to ping 3.3.3.3, it would relate to 8.8.12.3 and not any-other IP address.

4_verification

5_verification_cont

Regards

Rakesh M

Advertisements