Juniper SRX Firewall-nat Learn notes!

Source: Internet
Author: User
Tags juniper srx

Junos NAT
Part I: Introduction to SRX NAT
Part II: Source nat:interface NAT
Part III: Source nat:address Pools
Part IV: Destination NAT
Part V: Static NAT
--------------------------------------------------
About SRX NAT
1. Source NAT//Converter Nat,nat+gloabl
2. Destination NAT//static Pat
3. Static NAT//one-to-one conversion

SRX NAT Processing Flow:



Priority static NAT------Destination NAT-------Source NAT

NAT Query and processing order




--------------------------------------------------
Part II: Source nat:interface NAT
Interface NAT

SRX platforms Support NAT configuration where the source IP addresses in flows is translated to the address assigned to T He security platform ' s own outgoing interface. This behavior is commonly called interface Nat and are similar to the NAT mode interface configuration in screen OS.

SP1-------------SRX------------Inside1
202.100.1.0/24 10.1.1.0/24
Make an internal 10.1.1.0/24 pat
Configure the policy so that inside can access the outside!!
Edit Security Policies From-zone Inside1 To-zone Outside policy Permit-all
Set match source-address any
Set match destination-address any
Set match Application any
Set then permit
Set then log Session-init session-close

Configure log
Edit System Syslog File Nat-log
Set any any
Set Match Rt_flow_session

To configure NAT:
Edit Security Nat Source Rule-set Nat-policy//rule-set Collection of a series of NAT
Set from Zone Inside1
Set to Zone Outside
Edit Rule Inside1-outside-interface-nat//rule
Set Match source-address 10.1.1.0/24
Set match desnation-address 202.100.1.0/24//optional configuration, no need to surf the internet
Set then Source-nat interface
Commit//Submit and apply!

Show security Flow session
Show log Nat-log//view NAT translation entry!!
Show security Nat Source rule all//view NAT conversion type:
---------------------------------------------------
Part III: Source nat:address Pool
Reusing external address pools
Edit Security Nat Source
Set pool Nat-pool address 202.100.1.101/32 to 202.100.1.103/32
Up
Set Proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32//serious note that proxy ARP needs to be turned on

Edit Source Rule-set Nat-policy
Edit Rule Inside-outside-address-pools
Set Match source-address 10.1.1.0/24
Set then Source-nat pool Nat-pool//Both are source, now there are two rule, who platoon ahead who first!!

Insert Rule inside1-outside-address-pools before rule Inside1-outside-internet-nat//The NAT of the rule address pool is on the front!!

Run Show security Flow session//take turns to do pat!

No PAT conversion//Dynamic one-to-none, last session multiplexing interface!
Edit Pool Nat-pool
Set Port No-translation
Set Overflow-pool interface
Set port-randomization disable//In order to grow up, multiplexed address port!!

Configure persistent NAT//persistent NAT, maintain conversion slots, see NAT conversion normally!!
Edit Security Nat Socure
Edit rule-set nat-policy Rule inside1-outside-address-pools
Set then Source-nat pool Persistent-nat Permit Target-host-port

Run Show security Flow session
Run show security Nat Source persisten-nat-table all

---------------------------------------------------
Part IV: Destination nat //Cisco static pat!!
Convert the Inside1 10.1.1.1:23 port to the external address 202.100.1.201 2323 Port!!
Edit Security Nat Destination
Set pool inside1-23 address 10.1.1.1/32 port for
Edit Rule-set outside-to-inside1- Des-nat
Set from zone Outside
Edit Rule inside1-router-23
Set match source-address 0/0
Set match Destination-address 202.100.1.201/32
Set match destination-port 2323
Set then Destination-nat pool inside1-23
Up
Edit Proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

Release Inbound Traffic!
Edit Security Zones security-zone Inside1
Set Address-book address Inside1-router 10.1.1.1/32
up
up
Edit Policies From-zone Outside to-zone Inside1
Edit Policy permit-inside1-23
set match source-address any
set M Atch destination-address inside1-router
Set match application junos-telnet
Set then permit
Commit
------- -----------------------------------------------
Part Five: Static NAT, one-to-one!! That is, the conversion source is also converted purposes!!
Edit Security Nat static
Edit Rule-set outside-to-inside
Set from zone Outside
Edit Rule 1to1
set match de Stination-address 202.100.1.221/32
Set then Static-pat prefix 10.1.1.1/32
up
up
Set Proxy-arp interface fe-0/0/0.0 Address 202.100.1.221/32

Release Inbound Flow!
Edit Security Zones Security-zone Inside1
Set Address-book address Inside1-router 10.1.1.1/32
Up
Up
Edit Policies From-zone Outside To-zone Inside1
Edit Policy permit-inside1-23
Set match source-address any
Set Match destination-address Inside1-router
Set match application Junos-telnet
Set then permit
Commit

Both out and into the normal conversion!!
Run Showsecurity flow session!!

Juniper SRX Firewall-nat Learn notes!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.