Juniper SRX configuration - inbound Natting

kinsja1 used Ask the Experts™
I'm currenty migrating away from my PIX firewalls to a pair of Juniper SRX240. The problem I'm having is trying to match existing settings for inbound natting.

On the PIX here's what I've got for MS Exchagne for example:

Static Nat Rules that maps public IPs to private IPs and then an access rule that specify the source addresses, destination addresses and the allowed ports. For example my exchange servers have port service group with 80, 443, 25 allowed to 3 exchange servers.

On Juniper - am I setting up destination nat or static nat? Most of the examples suggest destination nat. I've gone through a single example of RDP and gotten it to work, however when I tried to apply it to exchange I ran into a number of issues.

Destination NAT Rule Set - I tried to add a new rule set for Exhange but get the error that the context is in conflict with my RDP rule set.

Could someone provide the CLI inputs for this?

ex001 - public IP (, private IP (, allowed inbound ports 80, 443, 25
ex002 - public IP (, private IP (, allowed inbound ports 80, 443, 25

A quick explanation of how best to setup the Rule sets & rules with relation to for example exchange servers, a couple of web servers, an RDP to some management servers.

Much appreciated. jk
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Am I over complicating the whole process?

Could I just have a single Static NAT Rule Set with all my rules in it and then create firewall policies with source / destination / application?

If this is true, what are the rule-sets used for if all rules are placed in there?
Your comment above is correct. This is what i use to create the Mapped IP (MIP)

set security nat static rule-set static-nat rule rule2 static-nat-rule-match destination-address dst-addr <wanIP/32>
set security nat static rule-set static-nat rule rule2 then static-nat prefix <lanIP/32>

set security nat proxy-arp interface ge-0/0/0.0 address <wanIP/32>

After this is done the MIP the create the policy with the applications/services i want to allow. I start with a policy that allows all source addresses and any application. Then after testing that it all works. i then narrow things down to specific applications or groups of applications. :)
Top Expert 2007

I would only list what static, source and destination NATs do, as you already have CLIs.

Static NAT:
Are the first thing to be evaluated in packet processing path, even before route/policy lookups, after screen. With static NAT you do no need to define policies for reverse traffic and the session can be originated from either end.
Is always 1:1 mapping.

Destination NAT:
Evaluated before route/policy lookups, when static NAT is absent. Session can be initiated only from one end [as configured]. You do not need policy for the reverse traffic for the same session but need policy if you wish the traffic to be initiated from other end.

Source NAT:
Evaluated after route/policy lookup; similar to destination NAT in all other aspect related to policy and traffic initiation.

Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial