Junos NAT
Part I: Introduction to SRX NAT
Part II: Source nat:interface NAT
Part III: Source nat:address Pools
Part IV: Destination NAT
Part V: Static NAT
--------------------------------------------------
About SRX NAT
1. Source NAT//Converter Nat,nat+gloabl
2. Destination NAT//static Pat
3. Static NAT//one-to-one conversion
SRX NAT Processing Flow:
Priority static NAT------Destination NAT-------Source NAT
NAT Query and processing order
--------------------------------------------------
Part II: Source nat:interface NAT
Interface NAT
SRX platforms Support NAT configuration where the source IP addresses in flows is translated to the address assigned to T He security platform ' s own outgoing interface. This behavior is commonly called interface Nat and are similar to the NAT mode interface configuration in screen OS.
SP1-------------SRX------------Inside1
202.100.1.0/24 10.1.1.0/24
Make an internal 10.1.1.0/24 pat
Configure the policy so that inside can access the outside!!
Edit Security Policies From-zone Inside1 To-zone Outside policy Permit-all
Set match source-address any
Set match destination-address any
Set match Application any
Set then permit
Set then log Session-init session-close
Configure log
Edit System Syslog File Nat-log
Set any any
Set Match Rt_flow_session
To configure NAT:
Edit Security Nat Source Rule-set Nat-policy//rule-set Collection of a series of NAT
Set from Zone Inside1
Set to Zone Outside
Edit Rule Inside1-outside-interface-nat//rule
Set Match source-address 10.1.1.0/24
Set match desnation-address 202.100.1.0/24//optional configuration, no need to surf the internet
Set then Source-nat interface
Commit//Submit and apply!
Show security Flow session
Show log Nat-log//view NAT translation entry!!
Show security Nat Source rule all//view NAT conversion type:
---------------------------------------------------
Part III: Source nat:address Pool
Reusing external address pools
Edit Security Nat Source
Set pool Nat-pool address 202.100.1.101/32 to 202.100.1.103/32
Up
Set Proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32//serious note that proxy ARP needs to be turned on
Edit Source Rule-set Nat-policy
Edit Rule Inside-outside-address-pools
Set Match source-address 10.1.1.0/24
Set then Source-nat pool Nat-pool//Both are source, now there are two rule, who platoon ahead who first!!
Insert Rule inside1-outside-address-pools before rule Inside1-outside-internet-nat//The NAT of the rule address pool is on the front!!
Run Show security Flow session//take turns to do pat!
No PAT conversion//Dynamic one-to-none, last session multiplexing interface!
Edit Pool Nat-pool
Set Port No-translation
Set Overflow-pool interface
Set port-randomization disable//In order to grow up, multiplexed address port!!
Configure persistent NAT//persistent NAT, maintain conversion slots, see NAT conversion normally!!
Edit Security Nat Socure
Edit rule-set nat-policy Rule inside1-outside-address-pools
Set then Source-nat pool Persistent-nat Permit Target-host-port
Run Show security Flow session
Run show security Nat Source persisten-nat-table all
---------------------------------------------------
Part IV: Destination nat //Cisco static pat!!
Convert the Inside1 10.1.1.1:23 port to the external address 202.100.1.201 2323 Port!!
Edit Security Nat Destination
Set pool inside1-23 address 10.1.1.1/32 port for
Edit Rule-set outside-to-inside1- Des-nat
Set from zone Outside
Edit Rule inside1-router-23
Set match source-address 0/0
Set match Destination-address 202.100.1.201/32
Set match destination-port 2323
Set then Destination-nat pool inside1-23
Up
Edit Proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32
Release Inbound Traffic!
Edit Security Zones security-zone Inside1
Set Address-book address Inside1-router 10.1.1.1/32
up
up
Edit Policies From-zone Outside to-zone Inside1
Edit Policy permit-inside1-23
set match source-address any
set M Atch destination-address inside1-router
Set match application junos-telnet
Set then permit
Commit
------- -----------------------------------------------
Part Five: Static NAT, one-to-one!! That is, the conversion source is also converted purposes!!
Edit Security Nat static
Edit Rule-set outside-to-inside
Set from zone Outside
Edit Rule 1to1
set match de Stination-address 202.100.1.221/32
Set then Static-pat prefix 10.1.1.1/32
up
up
Set Proxy-arp interface fe-0/0/0.0 Address 202.100.1.221/32
Release Inbound Flow!
Edit Security Zones Security-zone Inside1
Set Address-book address Inside1-router 10.1.1.1/32
Up
Up
Edit Policies From-zone Outside To-zone Inside1
Edit Policy permit-inside1-23
Set match source-address any
Set Match destination-address Inside1-router
Set match application Junos-telnet
Set then permit
Commit
Both out and into the normal conversion!!
Run Showsecurity flow session!!
Juniper SRX Firewall-nat Learn notes!