RtoDto.net
Network/Security/Programming

Junos NAT

rtoodtoo nat April 19, 2011

Doing NAT is very easy with SRX indeed. For example:

SOURCE NAT (INTERFACE BASED) 

[edit security nat]
root@host# show | display set
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat interface

We create one rule (rl1) inside a rule set (rs1) and NATing 10.200.20.0/24 network to the address of the exit interface. Pretty easy.

SOURCE NAT (WITH POOL)

[edit security nat]
root@host# show | display set
set security nat source pool pool-admins address 212.23.2.1 to 212.23.2.20
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24
set security nat source rule-set rs1 rule rl1 then source-nat pool pool-admins

In this pool example, instead of using interface address, we use addresses in the range 212.23.2.1 – 212.23.2.20

**TIP: If you need address persistence you should to set the following;

set security nat source address-persistent

STATIC NAT

root@host# show 
static {
    rule-set rs1 {
        from zone trust;
        rule rl1 {
            match {
                destination-address 0.0.0.0/0;
            }
            then {
                static-nat prefix 172.30.72.226/32;
            }
        }
    }
}

[edit security nat]
root@host# commit 
error: Static NAT rule(rl1) error: host address doesn’t have same mask as destination address.
error: configuration check-out failed

Can you see the mistake here? I thought that I can configure static nat just like above and Junos complaint because it is obligatory to have a one-to-one match in masks.  We can use this NAT, from untrust to inside network in the following way;

[edit security nat]
root@host# show
static {
    rule-set rs1 {
        from zone untrust;
        rule rl1 {
            match {
                destination-address 172.30.73.78/32;
            }
            then {
                static-nat prefix 10.200.2.11/32;
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            172.30.73.78/32;
        }
    }
}
I hope you have noticed the command proxy-arp. It is necessary to respond to ARP requests for the addresses mentioned, otherwise you can have a perfect config but you may not respond to ARP requests without this additional step.
DESTINATION NAT
[edit security nat]
root@host# show
destination {
    pool pool1 {
        address 10.200.2.11/32;
    }
    rule-set rs1 {
        from zone untrust;
        rule rl1 {
            match {
                destination-address 172.30.73.78/32;
            }
            then {
                destination-nat pool pool1;
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            172.30.73.78/32;
        }
    }
}
As it can be seen in this config snippet, any request coming to 172.30.73.78 address is translated into the pool1 which is indeed only 10.200.2.11 address.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

2 thoughts on “Junos NAT”

  2. Hi Jimmy,
    If you use destination-port option in your rule in addition to destination address and add “port” option into the pool, that should work I guess for your destination nat.

    rule rl1 {
    match {
    destination-address 172.30.73.78/32;
    destination-port 8080;
    }

    Reply

Leave a Reply to Jimmy NortonCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading