sounds like you're missing proxy arp entries for these addresses on your outside interface.
such as: set security nat proxy-arp interface ge-0/0/0.0 address 59.1.1.5/32 set security nat proxy-arp interface ge-0/0/0.0 address 59.1.1.6/32 Jon Paulhamus [CCNP, JNCIP-ENT, MCSE] Assistant Director of Technology BLaST IU#17 visit us at http://www.iu17.org/ Privileged and Confidential: The information contained in this message and any attachments hereto is intended solely for the use of the individual or entity to which it was addressed, and may contain confidential or privileged information. If you have received this message in error, please notify the sender and delete the message. The unauthorized use, disclosure, duplication or alteration of this message is strictly forbidden. Although BLaST IU 17 has taken precautions to ensure no viruses are present in this communication, BLaST accepts no responsibility for any loss or damage arising from the use of this message or attachments. BLaST additionally accepts no responsibility for any non-business related content. ________________________________________ From: Spam [spam...@fioseurope.net] Sent: Friday, September 28, 2012 4:58 AM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX240 Source Natting Thanks for the info, I can get NAT working when using the ext interface/ip as the egress type, but when I try to use a Nat pool with the same address range as the interface IP, it doesn't work. Ext. Interface IP is: 59.1.1.1/24 and Nat Pool using 59.1.1.5/24 to 59.1.1.6/24 Have also tried 59.1.1.5/32 to 59.1.1.6/32 which also doesn't work. Spammy -----Original Message----- From: Ben Dale <bd...@comlinx.com.au> To: spam...@fioseurope.net Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Date: Thu, 27 Sep 2012 09:05:28 +1000 Subject: Re: [j-nsp] SRX240 Source Natting On 27/09/2012, at 6:51 AM, Spam <spam...@fioseurope.net> wrote: > Hey All, > Here's another SRX issue I'm having and need help on.. > My SRX is connected on 3 Ports. Each in its own Security Domain and subnet. > Sec-Domain: Inside > Subnet1: 10.10.10.0/24 > Subnet2: 20.20.20.0/24 > Sec-Domain: Outside > Subnet: 59.xx.xx.xx/24 (Publicly Routed Addresses) > Sec-Domain: ISP > Subnet: 213.x.x.x/29 (Internet Uplink to ISP) If I follow correctly, you only want to NAT the Inside Zone to the interface address on the Outside zone? set security nat source rule-set OUTBOUND-NAT from zone Inside set security nat source rule-set OUTBOUND-NAT to zone Outside set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 10.10.10.0/24 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match source-address 20.20.20.0/24 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF match destination-address 0.0.0.0/0 set security nat source rule-set OUTBOUND-NAT rule SNAT-OUTSIDE-IF then source-nat interface All you need to add is a security policy allowing traffic from your internal ranges in the Inside zone to any address in the Outside zone. If you want, you can even match on source-address 0.0.0.0/0 so that if you add more subnets in the future, you won't have to touch the SNAT-OUTSIDE-IF rule. Ben _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
