JNCIP-SEC [ 3 – Advanced NAT ]
In this post I would like to do some experiment in Advanced NAT topics according to detailed exam guide here are the details:
1) Given a scenario, describe and implement static, source, destination, and dual NAT
2) Describe and implement variations of persistent NAT
3) Given a scenario, describe the interaction between NAT and security policy
Here is my test topology: JunOS release is 10.4R6.5
1) SOURCE,DESTINATION,STATIC and DUAL(double) NAT
a) SOURCE NAT
a.1) Interface Source NAT of PC1
First define criteria of NAT paramaters. The commands below will source nat IP address 10.1.1.100 to interface address of the exit interface if the packet is coming from zone trust and destined to any IP in zone wan
[edit security nat source]
root@srx2# show
rule-set rs1 {
from zone trust;
to zone wan;
rule rl1 {
match {
source-address 10.1.1.100/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
Once the above NAT rule is accompanied by a security policy like below, traffic should flow if zone configuration is also correct:
[edit security policies]
root@srx2# show
from-zone trust to-zone wan {
policy pc1-permit {
match {
source-address pc1;
destination-address any;
application any;
}
then {
permit;
}
}
}
a.2) Source NAT of PC1 by using pool:
If you want to set a pool of IP addresses here is a snippet;
[edit security nat]
root@srx2# show
source {
pool pc-pool {
address {
172.16.1.10/32 to 172.16.1.20/32;
}
}
rule-set rs1 {
from zone trust;
to zone wan;
rule rl1 {
match {
source-address 10.1.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
pc-pool;
}
}
}
}
}
}
If the security policy is in place and you try to reach an outside address from PC1, you will
see that there is no connectivity but why? it is because for the pool address we defined srx2 doesn’t send any arp-reply because they aren’t configured in any interface. That is why we must specifically set proxy arp for this range. Here is the configlet;
[edit security nat proxy-arp]
root@srx2# show
interface ge-0/0/0.0 {
address {
172.16.1.10/32 to 172.16.1.20/32;
}
}
When you commit this change, you will see the following populated arp table in SRX1
You see all the IP addresses in this range are now available.
root@srx1> show arp MAC Address Address Name Interface Flags 78:19:f7:aa:d0:80 172.16.1.2 172.16.1.2 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.10 172.16.1.10 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.11 172.16.1.11 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.12 172.16.1.12 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.13 172.16.1.13 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.14 172.16.1.14 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.15 172.16.1.15 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.16 172.16.1.16 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.17 172.16.1.17 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.18 172.16.1.18 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.19 172.16.1.19 ge-0/0/1.0 none 78:19:f7:aa:d0:80 172.16.1.20 172.16.1.20 ge-0/0/1.0 none 00:26:5a:9a:48:c6 192.168.0.1 192.168.0.1 ge-0/0/0.0 none f0:de:f1:0c:9b:c4 192.168.0.105 192.168.0.105 ge-0/0/0.0 none Total entries: 14
When I activated this pool based NAT, I wanted to see how the flow session looks like;
[edit security policies from-zone trust to-zone wan] root@srx2# run show security flow session Session ID: 452, Policy name: self-traffic-policy/1, Timeout: 1800, Valid In: 172.16.1.1/60334 --> 172.16.1.2/22;tcp, If: ge-0/0/0.0, Pkts: 1316, Bytes: 102840 Out: 172.16.1.2/22 --> 172.16.1.1/60334;tcp, If: .local..0, Pkts: 1138, Bytes: 151209 Session ID: 632, Policy name: pc1-permit/4, Timeout: 16, Valid In: 10.1.1.100/47905 --> 77.72.169.135/11113;udp, If: ge-0/0/1.0, Pkts: 87, Bytes: 5823 Out: 77.72.169.135/11113 --> 172.16.1.13/16590;udp, If: ge-0/0/0.0, Pkts: 87, Bytes: 13864 Session ID: 979, Policy name: pc1-permit/4, Timeout: 1800, Valid In: 10.1.1.100/1481 --> 213.136.29.196/80;tcp, If: ge-0/0/1.0, Pkts: 24554, Bytes: 1007010 Out: 213.136.29.196/80 --> 172.16.1.18/4006;tcp, If: ge-0/0/0.0, Pkts: 47029, Bytes: 61028108 Session ID: 991, Policy name: pc1-permit/4, Timeout: 1800, Valid In: 10.1.1.100/1492 --> 80.239.148.176/80;tcp, If: ge-0/0/1.0, Pkts: 18482, Bytes: 758696 Out: 80.239.148.176/80 --> 172.16.1.17/22131;tcp, If: ge-0/0/0.0, Pkts: 35122, Bytes: 45656092 Session ID: 1015, Policy name: pc1-permit/4, Timeout: 1772, Valid In: 10.1.1.100/1521 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 55, Bytes: 8639 Out: 74.125.79.104/80 --> 172.16.1.16/27078;tcp, If: ge-0/0/0.0, Pkts: 92, Bytes: 93979 Session ID: 1016, Policy name: pc1-permit/4, Timeout: 1772, Valid In: 10.1.1.100/1522 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 60, Bytes: 5415 Out: 74.125.79.104/80 --> 172.16.1.15/14051;tcp, If: ge-0/0/0.0, Pkts: 96, Bytes: 119546 Session ID: 1018, Policy name: pc1-permit/4, Timeout: 1758, Valid In: 10.1.1.100/1523 --> 74.125.79.132/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 1115 Out: 74.125.79.132/80 --> 172.16.1.13/7994;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 5383 Session ID: 1020, Policy name: pc1-permit/4, Timeout: 1762, Valid In: 10.1.1.100/1524 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 9, Bytes: 3384 Out: 74.125.79.101/80 --> 172.16.1.11/16286;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1897 Session ID: 1021, Policy name: pc1-permit/4, Timeout: 1766, Valid In: 10.1.1.100/1525 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 3510 Out: 74.125.79.101/80 --> 172.16.1.10/9906;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 2284 Session ID: 1033, Policy name: pc1-permit/4, Timeout: 1800, Valid In: 10.1.1.100/1536 --> 91.217.235.93/80;tcp, If: ge-0/0/1.0, Pkts: 1243, Bytes: 53022 Out: 91.217.235.93/80 --> 172.16.1.20/8280;tcp, If: ge-0/0/0.0, Pkts: 2218, Bytes: 2880892 Total sessions: 10
During this test I started an ubuntu linux ISO download from ubuntu.com and some other traffic. Can you see how many different IP addresses I am using from a single PC? This may be something not desired depending on the requirements. You may want to have persistence so that one source IP will stick to a single outside IP address. If you set this like below;
root@srx2#set security nat source address-persistent
Your flow sessions will be something like this;
root@srx2> show security flow session application http Session ID: 1165, Policy name: pc1-permit/4, Timeout: 1796, Valid In: 10.1.1.100/1608 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 56, Bytes: 9312 Out: 83.66.162.3/80 --> 172.16.1.18/31434;tcp, If: ge-0/0/0.0, Pkts: 77, Bytes: 85814 Session ID: 1166, Policy name: pc1-permit/4, Timeout: 1796, Valid In: 10.1.1.100/1609 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 41, Bytes: 9034 Out: 83.66.162.3/80 --> 172.16.1.18/25220;tcp, If: ge-0/0/0.0, Pkts: 50, Bytes: 53748 Session ID: 1174, Policy name: pc1-permit/4, Timeout: 1794, Valid In: 10.1.1.100/1614 --> 80.239.148.145/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 1672 Out: 80.239.148.145/80 --> 172.16.1.18/9468;tcp, If: ge-0/0/0.0, Pkts: 9, Bytes: 1794 Session ID: 1175, Policy name: pc1-permit/4, Timeout: 1794, Valid In: 10.1.1.100/1615 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 115, Bytes: 26194 Out: 83.66.162.3/80 --> 172.16.1.18/1705;tcp, If: ge-0/0/0.0, Pkts: 178, Bytes: 198603 Session ID: 1177, Policy name: pc1-permit/4, Timeout: 1794, Valid In: 10.1.1.100/1617 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 121, Bytes: 30372 Out: 83.66.162.3/80 --> 172.16.1.18/25670;tcp, If: ge-0/0/0.0, Pkts: 170, Bytes: 184161 Session ID: 1184, Policy name: pc1-permit/4, Timeout: 1790, Valid In: 10.1.1.100/1621 --> 2.16.107.55/80;tcp, If: ge-0/0/1.0, Pkts: 8, Bytes: 1906 Out: 2.16.107.55/80 --> 172.16.1.18/3155;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 1273 Session ID: 1189, Policy name: pc1-permit/4, Timeout: 1790, Valid In: 10.1.1.100/1623 --> 2.16.85.55/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 926 Out: 2.16.85.55/80 --> 172.16.1.18/25124;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1780
Do you see the difference? We stick to one address by using persistent address feature.
b) Destination NAT
According to our diagram we have a web server behind srx2 . What we want to do is to NAT packets sent to 172.16.1.30 IP address and port 80 to the internal IP address 10.1.1.101 of web server. Let’s do it:
[edit security nat destination]
root@srx2# show
pool web-server {
address 10.1.1.101/32 port 80;
}
rule-set rs1 {
from zone wan;
rule rl1 {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.30/32;
destination-port 80;
}
then {
destination-nat pool web-server;
}
}
}
[edit security zones security-zone trust address-book] root@srx2# show address pc1 10.1.1.100/32; address web-server 10.1.1.101/32;
This destination nat rule says: If any packet comes from zone wan with any source address for destination 172.16.1.30 and port 80, translate destination IP address to the address in the web-server pool but this configlet isn’t sufficient for DNAT to work. We should also add 172.16.1.30 into proxy-arp settings, because srx1 doesn’t reply to arp-requests for this IP address.
[edit security nat]
root@srx2# show proxy-arp
interface ge-0/0/0.0 {
address {
172.16.1.10/32 to 172.16.1.20/32;
172.16.1.30/32;
}
}
This is still not sufficient. We should also add policy to allow this particular traffic:
[edit security policies from-zone wan to-zone trust]
root@srx2# show
policy web-server-80 {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
}
}
Now everything should be ok lets try to telnet to 172.16.1.30 port 80 from srx1
root@srx1% telnet 172.16.1.30 80 Trying 172.16.1.30... Connected to 172.16.1.30. Escape character is '^]'. GET /index.html HTTP/1.1 HTTP/1.1 400 Bad Request Date: Tue, 06 Sep 2011 19:58:19 GMT Server: Apache/2.2.17 (Ubuntu) Vary: Accept-Encoding Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1400 Bad Request Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.17 (Ubuntu) Server at 127.0.1.1 Port 80 Connection closed by foreign host
Now everything seems to work…
c) STATIC NAT
As the name implies, we statically map addresses from one zone to another. If we take FTP server in our diagram, we would like to translate all requests to 172.16.1.31 to inside address 10.1.1.102 without any port consideration. Here is how to do it:
First static nat configuration:
[edit security nat static]
root@srx2# show
rule-set rs1 {
from zone wan;
rule rl1 {
match {
destination-address 172.16.1.31/32;
}
then {
static-nat prefix 10.1.1.102/32;
}
}
}
Second security policy for this traffic:
[edit security policies from-zone wan to-zone trust]
root@srx2# show policy ftp-server
match {
source-address any;
destination-address ftp-server;
application junos-ftp;
}
then {
permit;
}
Proxy arp setting for 172.16.1.31:
#set security nat proxy-arp interface ge-0/0/0.0 address 172.16.1.31/32
Address book entry for new FTP server:
[edit security zones security-zone trust] root@srx2# show address-book address pc1 10.1.1.100/32; address web-server 10.1.1.101/32; address ftp-server 10.1.1.102/32;
Let’s try from srx2 an ftp connection:
root@srx1% ftp 172.16.1.31 Connected to 172.16.1.31. 220 ProFTPD 1.3.3d Server (Debian) [::ffff:10.1.1.102] Name (172.16.1.31:root):
Wovv, it works!
Hello, thanks for your share and the detail analyze.
I am working on the SRX210 with dual WAN and HA. I found that the static-nat will got problem when outgoing. The packet will go though by the FW untrust IP either than the static-nat IP. It so trouble, I need to add the destination-nat to fix this problem. Do you have same experience?
Hello Jacky,
I haven’t experienced such a problem but if you send me a sample config and scenario along with which junos version you use, I can look into it as soon as I have time.
Regards
Wayy too late to be helpful, but posting in case anyone is ever reading this- this can be done with VRF’s. Once you bind ISP1’s link to an interface on VRF1 and bind ISP2’s link to an interface belonging to VRF2, only the policies that would possibly match traffic traversing these zones will be enacted.