On 27/09/2012, at 6:51 AM, Spam <spam...@fioseurope.net> wrote: > Hey All, > Here's another SRX issue I'm having and need help on.. > My SRX is connected on 3 Ports. Each in its own Security Domain and subnet. > Sec-Domain: Inside > Subnet1: 10.10.10.0/24 > Subnet2: 20.20.20.0/24 > Sec-Domain: Outside > Subnet: 59.xx.xx.xx/24 (Publicly Routed Addresses) > Sec-Domain: ISP > Subnet: 213.x.x.x/29 (Internet Uplink to ISP)
If I follow correctly, you only want to NAT the Inside Zone to the interface address on the Outside zone? set security nat source rule-set OUTBOUND-NAT from zone Inside set security nat source rule-set OUTBOUND-NAT to zone Outside set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 10.10.10.0/24 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 20.20.20.0/24 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match destination-address 0.0.0.0/0 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then source-nat interface All you need to add is a security policy allowing traffic from your internal ranges in the Inside zone to any address in the Outside zone. If you want, you can even match on source-address 0.0.0.0/0 so that if you add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF rule. Ben _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
