Sign up for a free recipe e-book →

Virtual Musings

Configuring Source NAT on a vSRX in IBM Cloud Classic Infrastructure

Published by

Mike Nelson

on

One of the easiest things to setup in IBM Cloud Classic infrastructure is a source NAT using a vSRX. With two blocks of code in your vSRX, you can allow your virtual machines and devices to access the Internet securely.

What do you need?

  • A vSRX gateway appliance.
  • One of more virtual machines. The virtual machines should be in route through mode using the vSRX as its next hop.

Diagram

The diagram below shows our example layout with the following items:

  • The vSRX has already been configured to act as the next-hop for the environment using 10.140.25.1 as the gateway IP address.
  • Three virtual machines have been provisioned on the 10.140.25.0/26 subnet

Procedure

Updating our vSRX to perform source NAT requires two blocks of code:

  • The first block creates a security policy / firewall rule between the VSI_Private zone (which has been assigned to the 10.140.25.1 interface) and the SL-PUBLIC zone (assigned to the 169.54.78.242 interface).
  • The second block creates the rule stating that source addresses matching the VSI subnet (10.150.25.1/26) will be source NATted.

To proceed:

  • Log into your vSRX using the management interface.
  • Enter configuration mode by typing configure and pressing Enter.
  • Create the firewall policy. Note that the below policy is any / any and should be adjusted for production environments.
set security policies from-zone VSI_Private to-zone SL-PUBLIC policy SNAT description "Allow SNAT traffic"
set security policies from-zone VSI_Private to-zone SL-PUBLIC policy SNAT match source-address any
set security policies from-zone VSI_Private to-zone SL-PUBLIC policy SNAT match destination-address any
set security policies from-zone VSI_Private to-zone SL-PUBLIC policy SNAT match application any
set security policies from-zone VSI_Private to-zone SL-PUBLIC policy SNAT then permit
  • Create the security policy for the source NAT. 
set security nat source rule-set NAT_RULE_1 description "Rule to NAT out of the Public interface"
set security nat source rule-set NAT_RULE_1 from zone VSI_Private
set security nat source rule-set NAT_RULE_1 to zone SL-PUBLIC
set security nat source rule-set NAT_RULE_1 rule NAT_r1 match source-address 10.140.25.0/26
set security nat source rule-set NAT_RULE_1 rule NAT_r1 match destination-address 0.0.0.0/0
set security nat source rule-set NAT_RULE_1 rule NAT_r1 then source-nat interface
  • Type commit and press Enter to save your changes.

That’s it! In a few seconds your virtual machines will now be able to access the Internet securely.

Leave a comment

Hello,

I’m Mike

I’ve got over 26 years of experience in IT, from physically building servers to designing data centers and, now, living the architect life in the Cloud and especially with VMware by Broadcom. All posts are my own and do not reflect the opinions of my employer.

Let’s connect

Recent posts