Deprecated: Hook custom_css_loaded is deprecated since version jetpack-13.5! Use WordPress Custom CSS instead. Jetpack no longer supports Custom CSS. Read the documentation to learn how to apply custom styles to your site: in /var/www/ on line 6031
Static NAT in SRX –

Static NAT in SRX

Today’s post is about static NAT configuration in SRX firewall. I have the following topology and aim is to translate IP network to and vice versa.

JGW1 SRX has in its uplink zone facing interface and in trust zone facing interface
and the static nat configuration for this setup is as follows;

root@JGW1# show security nat
static {
    rule-set stat-rs1 {
        from zone uplink;
        rule rule_for_ubuntus {
            match {
            then {
                static-nat {
                    prefix {

What this configuration really mean is:

  • Match the traffic arriving at uplink zone
  • If destination address is within subnet
  • Then replace destination IP address with one of the address within subnet

but with which address to replace? static NAT requires an exact match if you destination address has 28 bit, your static-nat prefix should also be 28 bit and replacement is done as follows; -> ->

I think no need to write the rest. It is one by one. The good thing about static nat is reverse static nat is also done automatically for you which means; -> ->

If any packet leaving SRX with IP address is replaced by

In addition to this we shouldn’t forget security policy configuration of course;

root@JGW1# show security policies
from-zone trust to-zone uplink {
    policy ubuntu-net-access {
        match {
            source-address ubuntu-net;
            destination-address any;
            application any;
        then {

*ubuntu-net is an address-book entry in the associated zone

If you have configured so far, you will see that ubuntu3 host still cannot reach outside network why? the thing is SRX doesn’t reply to arp requests for range. We must tell it to do so specifically by configuring proxy-arp as follows;

[edit security nat proxy-arp]
root@JGW1# show
interface ge-0/0/0.0 {
    address {;

*ge-0/0/0.0 is the uplink zone facing interface

Once you configure proxy arp, your ubuntu should be able to reach out.

You will see that IP is replaced by What does this mean? This means if you set up the reverse security policies any traffic destined to will be forwarded to automatically.

One thing that you should keep in mind is that there is no port translation in this type of NAT because of which you have relatively limited space.

Below is also my show command output;

root@JGW1> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: rule_for_ubuntus     Rule-set: stat-rs1
  Rule-Id                    : 2
  Rule position              : 1
  From zone                  : uplink
  Destination addresses      :
  Host addresses             :
  Netmask                    : 28
  Host routing-instance      : N/A
  Translation hits           : 807

If there is any point not clear for you, please send your comment!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

7 thoughts on “Static NAT in SRX”

  1. The network in the trust zone is from to

    ubuntu3, what gateway is using ?

  2. Traffic from zone uplink has source-address, not destination-address Why in config you wrote desitnation-address? I am missing something? Thanks.

  3. Hello, You can do with how I can do this configuration in juniper

    interface FastEthernet0/0
    description LAN_
    ip address
    ip nat inside
    load-interval 30
    duplex auto
    speed auto

    interface FastEthernet0/1.101
    description WAN_
    encapsulation dot1Q 101
    ip address
    ip nat outside
    ip http server
    ip nat inside source static
    ip nat inside source static

You have a feedback?

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading