JNCIP-SEC [ 3 – Advanced NAT ]

In this post I would like to do some experiment in Advanced NAT topics according to detailed exam guide here are the details:

1) Given a scenario, describe and implement static, source, destination, and dual NAT
2) Describe and implement variations of persistent NAT
3) Given a scenario, describe the interaction between NAT and security policy
Here is my test topology: JunOS release is 10.4R6.5


1) SOURCE,DESTINATION,STATIC and DUAL(double) NAT
a) SOURCE NAT
a.1) Interface Source NAT of PC1
First define criteria of NAT paramaters. The commands below will source nat IP address 10.1.1.100 to interface address of the exit interface if the packet is coming from zone trust and destined to any IP in zone wan

[edit security nat source]
root@srx2# show
rule-set rs1 {
    from zone trust;
    to zone wan;
    rule rl1 {
        match {
            source-address 10.1.1.100/32;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

Once the above NAT rule is accompanied by a security policy like below, traffic should flow if zone configuration is also correct:

[edit security policies]
root@srx2# show
from-zone trust to-zone wan {
    policy pc1-permit {
        match {
            source-address pc1;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

a.2) Source NAT of PC1 by using pool:
If you want to set a pool of IP addresses here is a snippet;

[edit security nat]
root@srx2# show
source {
    pool pc-pool {
        address {
            172.16.1.10/32 to 172.16.1.20/32;
        }
    }
    rule-set rs1 {
        from zone trust;
        to zone wan;
        rule rl1 {
            match {
                source-address 10.1.1.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        pc-pool;
                    }
                }
            }
        }
    }
}

If the security policy is in place and you try to reach an outside address from PC1, you will
see that there is no connectivity but why? it is because for the pool address we defined srx2 doesn’t send any arp-reply because they aren’t configured in any interface. That is why we must specifically set proxy arp for this range. Here is the configlet;

[edit security nat proxy-arp]
root@srx2# show
interface ge-0/0/0.0 {
    address {
        172.16.1.10/32 to 172.16.1.20/32;
    }
}

When you commit this change, you will see the following populated arp table in SRX1
You see all the IP addresses in this range are now available.

root@srx1> show arp
MAC Address       Address         Name                      Interface           Flags
78:19:f7:aa:d0:80 172.16.1.2      172.16.1.2                ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.10     172.16.1.10               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.11     172.16.1.11               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.12     172.16.1.12               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.13     172.16.1.13               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.14     172.16.1.14               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.15     172.16.1.15               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.16     172.16.1.16               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.17     172.16.1.17               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.18     172.16.1.18               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.19     172.16.1.19               ge-0/0/1.0          none
78:19:f7:aa:d0:80 172.16.1.20     172.16.1.20               ge-0/0/1.0          none
00:26:5a:9a:48:c6 192.168.0.1     192.168.0.1               ge-0/0/0.0          none
f0:de:f1:0c:9b:c4 192.168.0.105   192.168.0.105             ge-0/0/0.0          none
Total entries: 14

When I activated this pool based NAT, I wanted to see how the flow session looks like;

[edit security policies from-zone trust to-zone wan]
root@srx2# run show security flow session
Session ID: 452, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
  In: 172.16.1.1/60334 --> 172.16.1.2/22;tcp, If: ge-0/0/0.0, Pkts: 1316, Bytes: 102840
  Out: 172.16.1.2/22 --> 172.16.1.1/60334;tcp, If: .local..0, Pkts: 1138, Bytes: 151209

Session ID: 632, Policy name: pc1-permit/4, Timeout: 16, Valid
  In: 10.1.1.100/47905 --> 77.72.169.135/11113;udp, If: ge-0/0/1.0, Pkts: 87, Bytes: 5823
  Out: 77.72.169.135/11113 --> 172.16.1.13/16590;udp, If: ge-0/0/0.0, Pkts: 87, Bytes: 13864

Session ID: 979, Policy name: pc1-permit/4, Timeout: 1800, Valid
  In: 10.1.1.100/1481 --> 213.136.29.196/80;tcp, If: ge-0/0/1.0, Pkts: 24554, Bytes: 1007010
  Out: 213.136.29.196/80 --> 172.16.1.18/4006;tcp, If: ge-0/0/0.0, Pkts: 47029, Bytes: 61028108

Session ID: 991, Policy name: pc1-permit/4, Timeout: 1800, Valid
  In: 10.1.1.100/1492 --> 80.239.148.176/80;tcp, If: ge-0/0/1.0, Pkts: 18482, Bytes: 758696
  Out: 80.239.148.176/80 --> 172.16.1.17/22131;tcp, If: ge-0/0/0.0, Pkts: 35122, Bytes: 45656092

Session ID: 1015, Policy name: pc1-permit/4, Timeout: 1772, Valid
  In: 10.1.1.100/1521 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 55, Bytes: 8639
  Out: 74.125.79.104/80 --> 172.16.1.16/27078;tcp, If: ge-0/0/0.0, Pkts: 92, Bytes: 93979

Session ID: 1016, Policy name: pc1-permit/4, Timeout: 1772, Valid
  In: 10.1.1.100/1522 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 60, Bytes: 5415
  Out: 74.125.79.104/80 --> 172.16.1.15/14051;tcp, If: ge-0/0/0.0, Pkts: 96, Bytes: 119546

Session ID: 1018, Policy name: pc1-permit/4, Timeout: 1758, Valid
  In: 10.1.1.100/1523 --> 74.125.79.132/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 1115
  Out: 74.125.79.132/80 --> 172.16.1.13/7994;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 5383

Session ID: 1020, Policy name: pc1-permit/4, Timeout: 1762, Valid
  In: 10.1.1.100/1524 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 9, Bytes: 3384
  Out: 74.125.79.101/80 --> 172.16.1.11/16286;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1897

Session ID: 1021, Policy name: pc1-permit/4, Timeout: 1766, Valid
  In: 10.1.1.100/1525 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 3510
  Out: 74.125.79.101/80 --> 172.16.1.10/9906;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 2284

Session ID: 1033, Policy name: pc1-permit/4, Timeout: 1800, Valid
  In: 10.1.1.100/1536 --> 91.217.235.93/80;tcp, If: ge-0/0/1.0, Pkts: 1243, Bytes: 53022
  Out: 91.217.235.93/80 --> 172.16.1.20/8280;tcp, If: ge-0/0/0.0, Pkts: 2218, Bytes: 2880892
Total sessions: 10

During this test I started an ubuntu linux ISO download from ubuntu.com and some other traffic. Can you see how many different IP addresses I am using from a single PC? This may be something not desired depending on the requirements. You may want to have persistence so that one source IP will stick to a single outside IP address. If you set this like below;
root@srx2#set security nat source address-persistent
Your flow sessions will be something like this;

root@srx2> show security flow session application http
Session ID: 1165, Policy name: pc1-permit/4, Timeout: 1796, Valid
  In: 10.1.1.100/1608 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 56, Bytes: 9312
  Out: 83.66.162.3/80 --> 172.16.1.18/31434;tcp, If: ge-0/0/0.0, Pkts: 77, Bytes: 85814

Session ID: 1166, Policy name: pc1-permit/4, Timeout: 1796, Valid
  In: 10.1.1.100/1609 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 41, Bytes: 9034
  Out: 83.66.162.3/80 --> 172.16.1.18/25220;tcp, If: ge-0/0/0.0, Pkts: 50, Bytes: 53748

Session ID: 1174, Policy name: pc1-permit/4, Timeout: 1794, Valid
  In: 10.1.1.100/1614 --> 80.239.148.145/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 1672
  Out: 80.239.148.145/80 --> 172.16.1.18/9468;tcp, If: ge-0/0/0.0, Pkts: 9, Bytes: 1794

Session ID: 1175, Policy name: pc1-permit/4, Timeout: 1794, Valid
  In: 10.1.1.100/1615 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 115, Bytes: 26194
  Out: 83.66.162.3/80 --> 172.16.1.18/1705;tcp, If: ge-0/0/0.0, Pkts: 178, Bytes: 198603

Session ID: 1177, Policy name: pc1-permit/4, Timeout: 1794, Valid
  In: 10.1.1.100/1617 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 121, Bytes: 30372
  Out: 83.66.162.3/80 --> 172.16.1.18/25670;tcp, If: ge-0/0/0.0, Pkts: 170, Bytes: 184161

Session ID: 1184, Policy name: pc1-permit/4, Timeout: 1790, Valid
  In: 10.1.1.100/1621 --> 2.16.107.55/80;tcp, If: ge-0/0/1.0, Pkts: 8, Bytes: 1906
  Out: 2.16.107.55/80 --> 172.16.1.18/3155;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 1273

Session ID: 1189, Policy name: pc1-permit/4, Timeout: 1790, Valid
  In: 10.1.1.100/1623 --> 2.16.85.55/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 926
  Out: 2.16.85.55/80 --> 172.16.1.18/25124;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1780

Do you see the difference? We stick to one address by using persistent address feature.

b) Destination NAT
According to our diagram we have a web server behind srx2 . What we want to do is to NAT packets sent to 172.16.1.30 IP address and port 80 to the internal IP address 10.1.1.101 of web server. Let’s do it:

[edit security nat destination]
root@srx2# show
pool web-server {
    address 10.1.1.101/32 port 80;
}
rule-set rs1 {
    from zone wan;
    rule rl1 {
        match {
            source-address 0.0.0.0/0;
            destination-address 172.16.1.30/32;
            destination-port 80;
        }
        then {
            destination-nat pool web-server;
        }
    }
}
[edit security zones security-zone trust address-book]
root@srx2# show
address pc1 10.1.1.100/32;
address web-server 10.1.1.101/32;

This destination nat rule says: If any packet comes from zone wan with any source address for destination 172.16.1.30 and port 80, translate destination IP address to the address in the web-server pool but this configlet isn’t sufficient for DNAT to work. We should also add 172.16.1.30 into proxy-arp settings, because srx1 doesn’t reply to arp-requests for this IP address.

[edit security nat]
root@srx2# show proxy-arp
interface ge-0/0/0.0 {
    address {
        172.16.1.10/32 to 172.16.1.20/32;
        172.16.1.30/32;
    }
}

This is still not sufficient. We should also add policy to allow this particular traffic:

[edit security policies from-zone wan to-zone trust]
root@srx2# show
policy web-server-80 {
    match {
        source-address any;
        destination-address web-server;
        application junos-http;
    }
    then {
        permit;
    }
}

Now everything should be ok lets try to telnet to 172.16.1.30 port 80 from srx1

root@srx1% telnet 172.16.1.30 80
Trying 172.16.1.30...
Connected to 172.16.1.30.
Escape character is '^]'.
GET /index.html HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Tue, 06 Sep 2011 19:58:19 GMT
Server: Apache/2.2.17 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1



400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.


Apache/2.2.17 (Ubuntu) Server at 127.0.1.1 Port 80
Connection closed by foreign host

Now everything seems to work…
c) STATIC NAT
As the name implies, we statically map addresses from one zone to another. If we take FTP server in our diagram, we would like to translate all requests to 172.16.1.31 to inside address 10.1.1.102 without any port consideration. Here is how to do it:
First static nat configuration:

[edit security nat static]
root@srx2# show
rule-set rs1 {
    from zone wan;
    rule rl1 {
        match {
            destination-address 172.16.1.31/32;
        }
        then {
            static-nat prefix 10.1.1.102/32;
        }
    }
}

Second security policy for this traffic:

[edit security policies from-zone wan to-zone trust]
root@srx2# show policy ftp-server
match {
    source-address any;
    destination-address ftp-server;
    application junos-ftp;
}
then {
    permit;
}

Proxy arp setting for 172.16.1.31:
#set security nat proxy-arp interface ge-0/0/0.0 address 172.16.1.31/32
Address book entry for new FTP server:

[edit security zones security-zone trust]
root@srx2# show address-book
address pc1 10.1.1.100/32;
address web-server 10.1.1.101/32;
address ftp-server 10.1.1.102/32;

Let’s try from srx2 an ftp connection:

root@srx1% ftp 172.16.1.31
Connected to 172.16.1.31.
220 ProFTPD 1.3.3d Server (Debian) [::ffff:10.1.1.102]
Name (172.16.1.31:root):

Wovv, it works!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “JNCIP-SEC [ 3 – Advanced NAT ]”

  1. Hello, thanks for your share and the detail analyze.
    I am working on the SRX210 with dual WAN and HA. I found that the static-nat will got problem when outgoing. The packet will go though by the FW untrust IP either than the static-nat IP. It so trouble, I need to add the destination-nat to fix this problem. Do you have same experience?

  2. Hello Jacky,
    I haven’t experienced such a problem but if you send me a sample config and scenario along with which junos version you use, I can look into it as soon as I have time.
    Regards

  3. Wayy too late to be helpful, but posting in case anyone is ever reading this- this can be done with VRF’s. Once you bind ISP1’s link to an interface on VRF1 and bind ISP2’s link to an interface belonging to VRF2, only the policies that would possibly match traffic traversing these zones will be enacted.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.