How to Exclude Traffic from NAT on a Junos SRX

After you have configured SRX NAT services using either the egress interface or the pool method, you can create a rule to exclude certain traffic from the NAT process. This configuration can be done to allow certain servers (such as a public web or FTP site) to have public IP addresses on otherwise private LAN address space, but the choice is really up to the network administrator.

Naturally, you need a new rule. This one applies to 192.168.2.2 and is called NO_translate:

[edit security nat source rule-set internet-nat]
root# set rule NO_translate

Now, you need a match rule and action for the new rule so you can turn NAT off for 192.168.2.2, as shown here:

[edit security nat source rule-set internet-nat rule NO_translate]
root# set match source-address 192.168.2.2/32
root# set then source-nat off

It might look like you’re done, but you’re not.

If you commit this configuration, the SRX continues to translate 192.168.2.2, even though the rule is fine and the SRX should not translate it.

Here's what happened: The order of the rules is established by the order in which they're configured in the CLI. The NO_translate rule was added after you configured the basic admins-access rule, so the NO_translate rule was simply added after the existing admins-access rule. Unfortunately, because admins-access matches the entire LAN address space (192.168.2.0/24), no traffic is left for the NO-translate rule to match!

This is a common policy issue with Junos and is easy enough to fix. One statement puts the rule in the correct order:

[edit security nat source rule-set internet-nat]
root# insert rule NO_translate before rule admins-access

Always make sure your configured rules are in the proper order to achieve the results you want. As the number of rules grows, the possibility of error grows even faster.

blog comments powered by Disqus
Advertisement

Inside Dummies.com