Static NAT in SRX
Today’s post is about static NAT configuration in SRX firewall. I have the following topology and aim is to translate IP network 192.168.211.16/28 to 192.168.250.32/28 and vice versa.
JGW1 SRX has 192.168.250.1 in its uplink zone facing interface and 192.168.211.1 in trust zone facing interface
and the static nat configuration for this setup is as follows;
[edit]
root@JGW1# show security nat
static {
rule-set stat-rs1 {
from zone uplink;
rule rule_for_ubuntus {
match {
destination-address 192.168.250.32/28;
}
then {
static-nat {
prefix {
192.168.211.16/28;
}
}
}
}
}
}
What this configuration really mean is:
- Match the traffic arriving at uplink zone
- If destination address is within 192.168.250.32/28 subnet
- Then replace destination IP address with one of the address within 192.168.211.16 subnet
but with which address to replace? static NAT requires an exact match if you destination address has 28 bit, your static-nat prefix should also be 28 bit and replacement is done as follows;
192.168.250.33 -> 192.168.211.17
192.168.250.34 -> 192.168.211.18
I think no need to write the rest. It is one by one. The good thing about static nat is reverse static nat is also done automatically for you which means;
192.168.211.17 -> 192.168.250.33
192.168.211.18 -> 192.168.250.34
If any packet leaving SRX with IP address 192.168.211.17 is replaced by 192.168.250.33
In addition to this we shouldn’t forget security policy configuration of course;
[edit]
root@JGW1# show security policies
from-zone trust to-zone uplink {
policy ubuntu-net-access {
match {
source-address ubuntu-net;
destination-address any;
application any;
}
then {
permit;
}
}
}
*ubuntu-net is an address-book entry in the associated zone
If you have configured so far, you will see that ubuntu3 host still cannot reach outside network why? the thing is SRX doesn’t reply to arp requests for 192.168.250.32/28 range. We must tell it to do so specifically by configuring proxy-arp as follows;
[edit security nat proxy-arp]
root@JGW1# show
interface ge-0/0/0.0 {
address {
192.168.250.32/28;
}
}
*ge-0/0/0.0 is the uplink zone facing interface
Once you configure proxy arp, your ubuntu should be able to reach out.
You will see that IP 192.168.211.20 is replaced by 192.168.250.36. What does this mean? This means if you set up the reverse security policies any traffic destined to 192.168.250.36 will be forwarded to 192.168.211.20 automatically.
One thing that you should keep in mind is that there is no port translation in this type of NAT because of which you have relatively limited space.
Below is also my show command output;
root@JGW1> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: rule_for_ubuntus Rule-set: stat-rs1 Rule-Id : 2 Rule position : 1 From zone : uplink Destination addresses : 192.168.250.32 Host addresses : 192.168.211.16 Netmask : 28 Host routing-instance : N/A Translation hits : 807
If there is any point not clear for you, please send your comment!
The network in the trust zone is from 192.168.211.17 to 192.168.211.30.
ubuntu3, what gateway is using ?
I don’t have the setup but gateway must be 211.1 trust zone.
i’ve being dealing with this NAT for days, your post saved me, thanks
Glad to hear that my post saved someone:) Thanks for the feedback.
Traffic from zone uplink has source-address 192.168.250.32/28, not destination-address 192.168.250.32/28. Why in config you wrote desitnation-address? I am missing something? Thanks.
My bad, realised I was wrong. Sorry for disturbance.
Hello, You can do with how I can do this configuration in juniper
interface FastEthernet0/0
description LAN_
ip address 192.168.0.251 255.255.255.0
ip nat inside
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.101
description WAN_
encapsulation dot1Q 101
ip address 10.175.108.146 255.255.255.252
ip nat outside
!
!
ip http server
ip nat inside source static 192.168.0.251 10.175.104.145
ip nat inside source static 192.168.0.250 10.175.104.146