Hi everyone,
I apologize for the long winded email but I want to provide as much info as possible to get this concept straight.
Please consider following cases:
CASE1: STATIC NAT (Only Changing destination IP)
H1 199.199.199.1/24--------199.199.199.10/24 -F1 SRX F2 -10.10.10.1-------10.10.10.2 SERVER
F1 in Zone A
F2 in Zone B
All traffic from H1 destined to Server enters F1 on SRX with destination IP 200.200.200.2
SRX has a Static NAT where we change destination 200.200.200.2 to 10.10.10.2 and route it to Server.
Traffic from H1 to Server:
- Traffic enters F1 with destination IP 200.200.200.2 and SRC IP 199.199.199.1
- SRX has a static NAT rule which says all traffic with destination IP 200.200.200.2 and from Zone A, must have destination IP netted to 10.10.10.2
- We configure our Security Policy on POST NAT IP which says all traffic from ZONE1 to ZONE2 are allowed, note that the reference of Zones are determined after the NAT is already performed and using route look up we determine “from ZONE to Zone”
- Note above order of operation i.e. NAT then Security policy evaluation
Return traffic:
From Server to H1
- Traffic enters F2 on SRX with SRC IP 10.10.10.2 and destination IP 199.199.199.1
What will happen next NAT or Security Policy evaluation?
If NAT occurs first, i.e. SRC IP 10.10.10.2 replaced by 200.200.200.2 then Security Policy evaluation, then we have an issue:
200.200.200.2 Is not configured on any interface on SRX so we cannot determine Zone for Security policy.
If Security Policy occurs first, will the Zones for Security Policy determined based on PRE NAT IP i.e SRC IP 10.10.10.2 destination IP 199.199.199.1?
################
Case2: (Only Changing SRC IP)
H1 199.199.199.1/24--------199.199.199.10/24 F1 SRX F2 10.10.10.1-------10.10.10.2 SERVER
F1 in Zone A
F2 in Zone B
GOAL:
All traffic from H1 must reach Server with SRC IP 10.10.10.10
Traffic from H1 to Server:
Traffic with SRC IP 199.199.199.1, destination IP 10.10.10.2 enters F1 on SRX.
Based on Order of operation diagram show below, NAT occurs first
On SRX we have NAT rule that says all traffic from ZONE A must have SRC NATTED to 10.10.10.10
Based on the Diagram above, Zones for Security Policies are determined on POST NAT IP i.e. SRC IP 10.10.10.10 Right?
Return traffic:
Traffic with SRC IP 10.10.10.2 destination IP 10.10.10.10 enters F2 on SRX.
What will happen next?
Will SRX first perform NAT i.e. destination IP 10.10.10.10 is replaced by 199.199.199.1 then Security Policy evaluation, if yes, are Security Zones determined based POST NAT IP?
OR
Security Policy evaluation first then NAT if yes, are Security Zones determined based on PRE NAT IP?
#####################
Thanks and have nice weekend!!