3. Configure a rule that matches packets and translates the destination address
(1.1.1.3/29) to the address in the pool (dst-nat-pool-1 that includes IP address
192.168.2.2/32).
[edit]
user@srx210-host# set security nat destination rule-set rs1 rule r1 match
destination-address 1.1.1.3/29
user@srx210-host# set security nat destination rule-set rs1 rule r1 then destination-nat
pool dst-nat-pool-1
4. Configure proxy ARP for the address 1.1.1.3/29 on interface ge-0/0/0.0.
[edit]
user@srx210-host# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/29
5. Configure an address in the address book for Server-HTTP-1.
[edit]
user@srx210-host# edit security zones security-zone DMZ address-book address
Server-HTTP-1 192.168.2.2/32
6. Configure a security policy to allow traffic from the untrust zone to the server
(Server-HTTP-1) in the DMZ zone.
[edit]
user@srx210-host# set security policies from-zone untrust to-zone DMZ policy
server-access match source-address any
user@srx210-host# set security policies from-zone untrust to-zone DMZ policy
server-access match destination-address Server-HTTP-1
user@srx210-host# set security policies from-zone untrust to-zone DMZ policy
server-access match application junos-http
user@srx210-host# set security policies from-zone untrust to-zone DMZ policy
server-access then permit
Results From configuration mode [edit], confirm your configuration by entering the show security
nat destination and show security policies from-zone untrust to-zone DMZ commands.
If the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@srx210-host# show security nat destination
pool dst-nat-pool-1 {
address 192.168.2.2/32;
}
rule-set rs1 {
from interface ge-0/0/0.0;
rule r1 {
match {
destination-address 1.1.1.3/29;
}
then {
destination-nat {
pool {
dst-nat-pool-1;
}
}
}
43Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Configuring NAT for SRX Series
To Next Page
Loading...
Need help?
General
