I recently implemented the dest NAT rule on my SRX300 in attempt to put a gaming console (Nintendo Switch) in a DMZ.
Oddly enough, that rule incurs a 50% drop in ping success on the Untrust interface.
Deactivating the NAT rule restores 100% ping success.
Can anyone see why?
The Untrust IP is DHCP-assigned by the ISP thus the match destination-address 0.0.0.0/0 clause, so that the rule doesn't break every time the IP changes.
#show security nat destination
rule-set dest-nat {
from zone untrust;
rule rule-Nintendo-Switch {
match {
destination-address 0.0.0.0/0;
destination-port {
45000 to 65535;
}
}
then {
destination-nat {
pool {
dnat-Nintendo-Switch;
}
}
}
}
}