[j-nsp] order of operations for NAT & zone policy enforcement / SRX

Ge Moua Fri, 06 Jul 2012 06:46:04 -0700

j-nsp:
I am running into an issue on Juniper SRX where I am seeing zone policy
deny for destination-based NAT traffic (ie, untrusted to trusted zone).
My assumption for SRX order of operation is as follow:
* perform zone policy enforcement (to dest NAT ip_addr / ARIN public)
* perform NAT translation for dest_ip


It would appear the order of operation here is reversed for flow that
requires destination based NAT&  zone policy enforcement:
* peform NAT translation for dest_ip
* perform zone policy enforcement (to real ip_addr / RFC-1918)

Comments or feedback would greatly be appreciated.


--
--
Regards,
Ge Moua

Univ of Minn Alumnus
--

_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] order of operations for NAT & zone policy enforcement / SRX

Reply via email to