Question 44 - JN0-637 discussion

In the scenario where internal users are trying to access the company's web server via its FQDN but the DNS server resolves to a private IP, two key actions are needed:

Static NAT (Answer B): Since the internal DNS server resolves the web server to its private IP address (10.10.10.4/24), you need to configure static NAT for both the DNS server and the webserver. This will ensure that requests coming from the internet will be translated to the web server's public IP (203.0.113.4) and the DNS server's public IP (203.0.113.2).

Example Command:

bash

set security nat static rule-set public-to-private from zone untrust

set security nat static rule-set public-to-private rule dns-server match destination-address 203.0.113.2/32

set security nat static rule-set public-to-private rule dns-server then static-nat-prefix 10.10.10.2/32

set security nat static rule-set public-to-private rule web-server match destination-address 203.0.113.4/32

set security nat static rule-set public-to-private rule web-server then static-nat-prefix 10.10.10.4/32

Proxy ARP (Answer D): The SRX needs to respond to ARP requests for the public IP addresses of both the DNS and webserver on the interface facing the internet (ge-0/0/3). This allows the SRX to handle requests directed at the public IPs.

Example Command:

set interfaces ge-0/0/3 unit 0 family inet proxy-arp interface-address 203.0.113.2/32

set interfaces ge-0/0/3 unit 0 family inet proxy-arp interface-address 203.0.113.4/32

These two configurations allow external users to access the internal web server via its public IP, as resolved by the DNS server.