Category Archives: nat

Linux iptables to SRX NAT

Below you will find a simple example for those who use Linux iptables and now need to use SRX NAT. I am giving destination and source nat examples in both systems to easily compare the way NAT is configured in both firewalls. In both scenarios I will use the following topology in which ubuntu3 is the client device behind two firewalls Linux(debian1) and j26 (srx firewall)

linux_iptables_to_srx_nat

Prerequisites for this setup to work

  • IP addresses must be assigned to external interfaces on Linux and SRX
  • As both gateways are tested on the same topology, ubuntu3’s default gateway should changed to SRX and Linux when necessary during the test for reverse traffic.
  • Necessary security policies must be already set on SRX for this NAT to work.

Scenario 1
By using destination NAT, forward requests destined to 10.12.1.10 or 10.12.1.11 addresses on port 22 towards ubuntu3.

Continue reading

Port forwarding with new static nat feature

Starting with junos 11.4R5 (If I remember correctly), you can also forward ports by static nat  configuration. We were able to do this only by destination nat feature but it was a bit clunky in comparison to this feature. Configuration is pretty straight forward.  You redirect the port number
“80” in destination-port statement to the port 8080 in “mapped-port” statement.  If your security policies are in place and if needed proxy-arps are configured, this config should be sufficient for port forwarding.

When you are dealing with NAT in SRX, always keep in mind the order of NAT operations i.e 1) STATIC -> 2)  DESTINATION -> 3) SOURCE
Static is the first in the chain. You can for example change the destination IP address of a packet and just after that modify the source address of the very same packet.

If you want to have the SET commands of this configuration simply go to [edit security nat] config level of your device and then paste it as instructed below and press CRTL^D to load it. Once you type “show |display set” you will get the SET commands.

Happy port forwarding:)

Static NAT in SRX

Today’s post is about static NAT configuration in SRX firewall. I have the following topology and aim is to translate IP network 192.168.211.16/28 to 192.168.250.32/28 and vice versa.

JGW1 SRX has 192.168.250.1 in its uplink zone facing interface and 192.168.211.1 in trust zone facing interface
and the static nat configuration for this setup is as follows;

What this configuration really mean is:

  • Match the traffic arriving at uplink zone
  • If destination address is within 192.168.250.32/28 subnet
  • Then replace destination IP address with one of the address within 192.168.211.16 subnet
    Continue reading

Port forwarding in SRX

In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at IP 192.168.250.2 port 8080 to 192.168.211.20 port 80. i.e
192.168.250.2:8080 –> 192.168.211.20:80


**I assume we already assigned the SRX interfaces to uplink and trust zones in this post to keep the post as short as possible.

1) Configure destination nat and pool

For this purpose we create a pool named web_pool and redirect any requests coming from 0.0.0.0/0 any address to 192.168.250.2 at port 8080 to this web_pool which has the translated IP address and port. I hope it is clear up to now.

Continue reading

Junos NAT

Doing NAT is very easy with SRX indeed. For example:

SOURCE NAT (INTERFACE BASED) 

[edit security nat]
root@host# show | display set
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat interface

We create one rule (rl1) inside a rule set (rs1) and NATing 10.200.20.0/24 network to the address of the exit interface. Pretty easy.

SOURCE NAT (WITH POOL)

[edit security nat]
root@host# show | display set
set security nat source pool pool-admins address 212.23.2.1 to 212.23.2.20
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat pool pool-admins

In this pool example, instead of using interface address, we use addresses in the range 212.23.2.1 – 212.23.2.20

**TIP: If you need address persistence you should to set the following;

set security nat source address-persistent

Continue reading