Linux iptables to SRX NAT

Below you will find a simple example for those who use Linux iptables and now need to use SRX NAT. I am giving destination and source nat examples in both systems to easily compare the way NAT is configured in both firewalls. In both scenarios I will use the following topology in which ubuntu3 is the client device behind two firewalls Linux(debian1) and j26 (srx firewall)

Prerequisites for this setup to work

• IP addresses must be assigned to external interfaces on Linux and SRX
• As both gateways are tested on the same topology, ubuntu3’s default gateway should changed to SRX and Linux when necessary during the test for reverse traffic.
• Necessary security policies must be already set on SRX for this NAT to work.

Scenario 1
By using destination NAT, forward requests destined to 10.12.1.10 or 10.12.1.11 addresses on port 22 towards ubuntu3.

Linux Way

root@debian1:~#iptables -t nat -A PREROUTING -d 10.12.1.10 -p tcp --dport 22 -j DNAT --to 100.100.100.103:22

root@debian1:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            10.12.1.10           tcp dpt:22 to:100.100.100.103:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination  

SRX way
SRX has hierarchy compared to Linux and there are two methods which you can achieve the same result. One is destination nat and the other is static nat.

Destination NAT

[edit]
root@j26# show security nat destination 
pool ubuntu3_pool {
    address 100.100.100.103/32;
}
rule-set unbuntu_nat {
    from zone untrust;
    rule ubuntu3_ssh {
        match {
            source-address 0.0.0.0/0;
            destination-address 10.12.1.11/32;
            destination-port 22;
        }
        then {
            destination-nat pool ubuntu3_pool;
        }
    }
}

You can achieve the same destination nat via the following static nat configuration too.

Static NAT

[edit]
root@j26# show security nat 
static {
    rule-set untrust-trust {
        from zone untrust;
        rule ubuntu3_ssh {
            match {
                destination-address 10.12.1.11/32;
                destination-port 22;
            }
            then {
                static-nat {
                    prefix {
                        100.100.100.103/32;
                        mapped-port 22;
                    }
                }
            }
        }
    }
} 

Scenario 2)
By using source nat, we will give NET access to ubuntu3 either via Linux device or SRX firewall.

Linux way

root@debian1:~# iptables -t nat -A POSTROUTING -s 100.100.100.103 -d 0/0 -j SNAT --to-source 10.12.1.10
root@debian1:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  100.100.100.103      0.0.0.0/0            to:10.12.1.10

The same source nat can be done on SRX in the following way.
SRX way

[edit]
root@j26# show security nat source 
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule ubuntu3_nat {
        match {
            source-address 100.100.100.103/32;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

I have tested these configurations, I have written above. If you have SRX policies configured, you shouldn’t have any problem.