Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4
In Junos version 11.4, a new security zone
junos-host was added to match to/from Junos self-traffic device.
Few details here:
https://cn.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62163.htmlHow to do source nat for Junos self originated packets - Junos 11.4Assuming the security zone matching Internet zone is called
internet in our Junos configuration, source nat from Junos originated packets towards internet can be achieved using following config:
Code:
> show configuration security nat source rule-set self-internet
from zone junos-host;
to zone internet;
rule RE-internet {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
Same can be achieved using commands:
Code:
> show configuration security nat source rule-set self-internet | display set
set security nat source rule-set self-internet from zone junos-host
set security nat source rule-set self-internet to zone internet
set security nat source rule-set self-internet rule RE-internet match source-address 0.0.0.0/0
set security nat source rule-set self-internet rule RE-internet then source-nat interface
P.S.: Default configurations will not need source nat as Junos, by default, uses the IP of the outgoing interface as source. But for those rare cases when source nat is really needed, this will help.