subject:"\[j\-nsp\] order of operations for NAT \& zone policy enforcement \/ SRX"

Re: [j-nsp] order of operations for NAT & zone policy enforcement / SRX

2012-07-06 Thread pkc_mls

Le 06/07/2012 3:56, Chris Hellberg a écrit : The order is: screen options -> D-NAT -> route lookup -> policy -> S-NAT -> others. /chris --- This order implies that you must systematically use real IP addresses in your security policies, even if there is NAT involved; (this is a main differenc

Re: [j-nsp] order of operations for NAT & zone policy enforcement / SRX

2012-07-06 Thread Chris Hellberg

The order is: screen options -> D-NAT -> route lookup -> policy -> S-NAT -> others. /chris --- -Original Message- From: Ge Moua Sender: juniper-nsp-boun...@puck.nether.net Date: Fri, 06 Jul 2012 08:41:10 To: Subject: [j-nsp] order of operations for NAT & zone polic

[j-nsp] order of operations for NAT & zone policy enforcement / SRX

2012-07-06 Thread Ge Moua

j-nsp: I am running into an issue on Juniper SRX where I am seeing zone policy deny for destination-based NAT traffic (ie, untrusted to trusted zone). My assumption for SRX order of operation is as follow: * perform zone policy enforcement (to dest NAT ip_addr / ARIN public) * perform NAT translat