Your static NAT config looks correct. do you have any other static NAT rule-sets defined that could match the traffic (initiated from either side)? IIRC a session is only evaluated against a single NAT rule-set per NAT type, and if multiple match, it will pick the most specific.
I think the order (least to most specific) is from routing-instance --> from zone ---> from interface another option would be to configure flow traceoptions to try to see why its not NATing the traffic properly. will On Sep 7, 2012, at 9:01 PM, juniper-nsp-requ...@puck.nether.net wrote: > Message: 1 > Date: Fri, 7 Sep 2012 15:22:34 -0400 > From: Oliver Garraux <oli...@g.garraux.net> > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] SRX Static NAT - Not working in both directions > Message-ID: > <CAD_uLpM6kwe=j8Br+_N5DQGsN8QQ8xgCDtLxyjXdkBvr=1x...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hey, > > I recently bought an SRX and have been trying the different NAT > configuration options to become more familar with JunOS. > > Static NAT isn't operating quite as I'd expect from the documentation. > My understanding is that static NAT should be bidirectional, in that > it should translate connections going in both directions. > > I'm using 192.168.32.0/24 on the interface connected to the rest of my > network (ge-0/0/0.100), and 192.168.35.0/24 on vlan.200 on my SRX. > ge-0/0/0.100 is in the "trust" zone, and vlan.200 is in the "user" > zone. > > static { > rule-set user_to_trust { > from zone trust; > rule desktop1 { > match { > destination-address 192.168.32.5/32; > } > then { > static-nat prefix 192.168.35.200/32; > } > } > } > } > proxy-arp { > interface ge-0/0/0.100 { > address { > 192.168.32.5/32; > } > } > } > > > I'm only seeing it translate connections coming in to the destination > address (192.168.32.5). The source address on connections initiated > by the "static-nat" address (192.168.35.200 - the address on the > desktop sitting behind my SRX) are not being translated to > 192.168.32.5. Am I misunderstanding how static NAT works? > > I've tried using an IP that is routed to the SRX (where no proxy-arp > should have been required in that situation). I also don't see the > address being translated when I look at these flows in "show security > flow session", so I don't think this is an issue with proxy-arp. I'm > permitting all traffic between the "user" and "trust" zones (in both > directions) in my security policies. > > Here's one of the flow entries when I try to ping from 192.168.35.200 > to 192.168.17.16 > > Session ID: 21626, Policy name: permit-all/5, Timeout: 16, Valid > In: 192.168.35.200/25622 --> 192.168.17.16/1280;icmp, If: vlan.200, > Pkts: 1, Bytes: 60 > Out: 192.168.17.16/1280 --> 192.168.35.200/25622;icmp, If: > ge-0/0/0.100, Pkts: 0, Bytes: 0 > > Any ideas? > > Thanks, > > Oliver _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp