This post is showing a simple destination NAT rule in which how you can use a transparent squid proxy to which you redirect your clients’ HTTP requests.
Our client device’s HTTP requests will be redirected to our Squid Proxy server on this topology i.e hostF won’t need any config for its requests to be proxied.
Below you will find a simple example for those who use Linux iptables and now need to use SRX NAT. I am giving destination and source nat examples in both systems to easily compare the way NAT is configured in both firewalls. In both scenarios I will use the following topology in which ubuntu3 is the client device behind two firewalls Linux(debian1) and j26 (srx firewall)
Prerequisites for this setup to work
Scenario 1
By using destination NAT, forward requests destined to 10.12.1.10 or 10.12.1.11 addresses on port 22 towards ubuntu3.
Starting with junos 11.4R5 (If I remember correctly), you can also forward ports by static nat configuration. We were able to do this only by destination nat feature but it was a bit clunky in comparison to this feature. Configuration is pretty straight forward. You redirect the port number
“80” in destination-port statement to the port 8080 in “mapped-port” statement. If your security policies are in place and if needed proxy-arps are configured, this config should be sufficient for port forwarding.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
root@srx# show security nat static { rule-set rs1 { from interface reth0.0; rule rl1 { match { destination-address 144.122.211.3/32; destination-port 80; } then { static-nat { prefix { 172.17.11.5/32; mapped-port 8080; } } } } } } |
When you are dealing with NAT in SRX, always keep in mind the order of NAT operations i.e 1) STATIC -> 2) DESTINATION -> 3) SOURCE
Static is the first in the chain. You can for example change the destination IP address of a packet and just after that modify the source address of the very same packet.
If you want to have the SET commands of this configuration simply go to [edit security nat] config level of your device and then paste it as instructed below and press CRTL^D to load it. Once you type “show |display set” you will get the SET commands.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[edit security nat] root@branchC# load merge relative terminal [Type ^D at a new line to end input] static { rule-set rs1 { from interface reth0.0; rule rl1 { match { destination-address 144.122.211.3/32; destination-port 80; } then { static-nat { prefix { 172.17.11.5/32; mapped-port 8080; } } } } } } load complete [edit security nat] root@branchC# show | display set set security nat static rule-set rs1 from interface reth0.0 set security nat static rule-set rs1 rule rl1 match destination-address 144.122.211.3/32 set security nat static rule-set rs1 rule rl1 match destination-port 80 set security nat static rule-set rs1 rule rl1 then static-nat prefix 172.17.11.5/32 set security nat static rule-set rs1 rule rl1 then static-nat prefix mapped-port 8080 |
Happy port forwarding:)
Today’s post is about static NAT configuration in SRX firewall. I have the following topology and aim is to translate IP network 192.168.211.16/28 to 192.168.250.32/28 and vice versa.
JGW1 SRX has 192.168.250.1 in its uplink zone facing interface and 192.168.211.1 in trust zone facing interface
and the static nat configuration for this setup is as follows;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[edit] root@JGW1# show security nat static { rule-set stat-rs1 { from zone uplink; rule rule_for_ubuntus { match { destination-address 192.168.250.32/28; } then { static-nat { prefix { 192.168.211.16/28; } } } } } } |
What this configuration really mean is:
In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at IP 192.168.250.2 port 8080 to 192.168.211.20 port 80. i.e
192.168.250.2:8080 –> 192.168.211.20:80
**I assume we already assigned the SRX interfaces to uplink and trust zones in this post to keep the post as short as possible.
1) Configure destination nat and pool
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[edit security nat] root@JGW1# show destination { pool web_pool { address 192.168.211.20/32 port 80; } rule-set myrs1 { from zone uplink; rule http_8080_ubuntu3 { match { source-address 0.0.0.0/0; destination-address 192.168.250.2/32; destination-port 8080; } then { destination-nat pool web_pool; } } } } |
For this purpose we create a pool named web_pool and redirect any requests coming from 0.0.0.0/0 any address to 192.168.250.2 at port 8080 to this web_pool which has the translated IP address and port. I hope it is clear up to now.
Doing NAT is very easy with SRX indeed. For example:
SOURCE NAT (INTERFACE BASED)
[edit security nat]
root@host# show | display set
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat interface
We create one rule (rl1) inside a rule set (rs1) and NATing 10.200.20.0/24 network to the address of the exit interface. Pretty easy.
SOURCE NAT (WITH POOL)
[edit security nat]
root@host# show | display set
set security nat source pool pool-admins address 212.23.2.1 to 212.23.2.20
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat pool pool-admins
In this pool example, instead of using interface address, we use addresses in the range 212.23.2.1 – 212.23.2.20
**TIP: If you need address persistence you should to set the following;
set security nat source address-persistent
