JNCIS-SEC [ NAT ]

To delve into NAT processing in Junos it is better to see the packet flow in ASCII.

First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT->Source NAT->Services ALG->Session

Fast PATH:  Screens->TCP->NAT->Services ALG

Based on the first packet of session, JUNOS installes NAT and PAT information into the session table for fast path processing. You should pay attention to the fact that Destination NAT occurs before Source NAT which is clear in the first PATH diagram.

We can classify NAT into three distinct category;

      * Source NAT : Translates source IP address of a packet
      * Destination NAT : Translates destination IP of a packet
      * Static NAT : This allows connections to be originated from either side of the network.

 Source NAT & PAT

1) Interface based source NAT: Original source address to the egress interface IP always with PAT
2) Pool based source NAT: Dynamic mapping of original source address to an address from a user-defined pool with or without PAT
3) Source NAT with address shifting : one-to-one matching of the original source address to a user-defined pool by shifting IP address  without PAT

     NAT rules are akin to security policies both of which require some directional context. For source nat, each rule set has a from and to clause which can indicate an interface,zone or routing instance.  If rule-sets overlap (if they target the same traffic), the rule-set with the most specific context takes precedence.  Interfaces = most specific , routing instance = least specific

Overlapping

  *Static source NAT has higher precedence than dynamic source NAT
* Addresses used in NAT pools either in source NAT pools or destination NAT pools should never overlap
* If there is more than one rule-set matches the traffic, rule-set with the most specific context precedence
* In a rule-set, order of the rules is significant


 Live Changes

As soon as a change is made in a NAT rule, Junos tears down the session after the commit.

Interface Based Source NAT

[edit security nat]
root@host# show
source {
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule rl1 {
            match {
                source-address 10.200.2.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}You don’t need to associate/apply this nat to any interface or something, like Cisco IOS. It just works.
To display session table;
root@host> show security flow session destination-prefix 74.125.224.83/32
Session ID: 38783, Policy name: trust-to-untrust/4, Timeout: 1790, Valid
  In: 10.200.2.11/51126 –> 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 5, Bytes: 662
  Out: 74.125.224.83/80 –> 172.16.16.226/48879;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 2688
Session ID: 38789, Policy name: trust-to-untrust/4, Timeout: 1790, Valid
  In: 10.200.2.11/51128 –> 74.125.224.83/80;tcp, If: ge-0/0/8.0, Pkts: 2, Bytes: 112
  Out: 74.125.224.83/80 –> 172.16.16.226/54369;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Total sessions: 2
Here 172.16.16.226 is our egress interface’s IP address. Local IP 10.200.2.11 is translated to 172.16.16.226 and passed onto upstream gateway for further processing.To display NAT rules;

root@host> show security nat source summary

Total pools: 0
Total rules: 1
Rule name          Rule set       From              To                   Action
rl1                rs1            trust             untrust              interface

Pool Based Source Nat (with PAT)

[edit security nat]
root@host# show
source {
    pool pool-admins {
        address {
            172.16.16.226/32 to 172.16.16.230/32;
        }
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule rl1 {
            match {
                source-address 10.200.2.0/24;
            }
            then {
                source-nat {
                    pool {
                        pool-admins;
                    }
                }
            }
        }
    }
}
In this configuration, instead of source natting to interface, we use a dynamic pool with PAT enabled.  If you want to ensure that junos uses the same source address in translation, enable address-persistent
[edit security nat]
root@host# show
source {
    address-persistent;

}

Pool Based Source Nat (without PAT)

Be careful that disabling PAT reduces the amount of available address. Without PAT, each address in the source pool must use its original source port. overflow-pool is also configured as it can be seen below to prevent address exhaustion.

[edit security nat]
root@host# show
source {
    pool pool-admins {
        address {
            172.16.16.226/32 to 172.16.16.230/32;
        }
        port no-translation;      
        overflow-pool interface;
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule rl1 {
            match {
                source-address 10.200.2.0/24;
            }
            then {
                source-nat {
                    pool {
                        pool-admins;
                    }
                }
            }
        }
    }

}Pool Utilization

If you want to monitor utilization of the pool you can enable it as below;
[edit security nat]
root@host# show
{
    pool-utilization-alarm raise-threshold 70 clear-threshold 50;
}raise-threshold: Junos sends an SNMP trap
clear-threshold: Junos sends another SNMP trap to clear the alarm

 Source NAT with Address Shifting

This configuration is almost the same without address shifting. Once you enable “host-address-base” which defines at which address shifting must start, PAT is disabled.
[edit security nat]
root@host# show
source {
    pool pool-admins {
        address {
            172.16.16.226/32 to 172.16.16.230/32;
        }
        host-address-base 10.200.2.11/32;
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule rl1 {
            match {
                source-address 10.200.2.0/24;
            }
            then {
                source-nat {
                    pool {
                        pool-admins;
                    }
                }
            }
        }
    }
}
root@host> show security nat source pool all
Total pools: 1
Pool name          : pool-admins
Pool id            : 4
Routing instance   : default
Host address base  : 10.200.2.11
Port               : no translation
Total addresses    : 5
Translation hits   : 4

Address range                        Single Ports   Twin Ports
172.30.72.226 – 172.30.72.230      0

Pool-Based Destination NAT

[edit security nat]
root@host# show
destination {
    pool pool-inside {
        address 10.200.2.11/32;
    }
    rule-set rs1 {
        from zone untrust;
        rule rl1 {
            match {
                destination-address 172.16.16.226/32;
            }
            then {
                destination-nat pool pool-inside;
            }
        }
    }
}
This is a destination nat without PAT. Address 172.16.16.226 is translated into 10.200.2.11.  This is a single address translation, if required multiple addresses can be used on the pool by using “to” option.
  You can change the configuration the following way to enable PAT
[edit security nat]
root@host# show
destination {
    pool pool-inside {
        address 10.200.2.11/32 port 8080;
    }
    rule-set rs1 {
        from zone untrust;
        rule rl1 {
            match {
                destination-address 172.16.16.226/32;
                destination-port 80;
            }
            then {
                destination-nat pool pool-inside;
            }
        }
    }
}

Static Destination NAT

Static NAT requires a one-to-one match which means subnet masks must be the same. If you select an IP address which isn’t from interface, to be able to send ARP replies, enable proxy-arp as below. Once destination NAT is configured,  reverse static source NAT is automatically enabled so that you don’t need to add another source nat rule.
[edit security nat]
root@host# show
static {
    rule-set rs1 {
        from zone untrust;
        rule rl1 {
            match {
                destination-address 172.30.73.78/32;
            }
            then {
                static-nat prefix 10.200.2.11/32;
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            172.30.73.78/32;
        }
    }
}Dropping non-NAT trafficIf you want to drop traffic not-translated, use drop-untranslated under the policy like below;
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            destination-address {
                drop-untranslated;
            }
        }
        count;
    }
}
Monitoring commands used so far
* show security flow session
* show security nat source rule rule-name
*
show security nat source pool all
* show security nat source summary

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


2 thoughts on “JNCIS-SEC [ NAT ]”

  1. Hi Rtoodtoo,
    Thanks for the articles which are very helpful for a person coming from pure cisco background , Can you please write a blog on Junos SRX packet flow i.e both first path and fast path in details . Eagerly waiting for the article.
    Thanks in advance

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading