Application Note: Junos NAT Configuration Examples



Similar documents
SRX SERIES AND J SERIES NETWORK ADDRESS TRANSLATION

Implementation Guide. Juniper Networks SRX Series Services Gateways/ Websense V10000 G2 appliance. v7.6

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS

Web Filtering For Branch SRX Series and J Series

APPLICATION NOTE. Copyright 2011, Juniper Networks, Inc. 1

Network Configuration Example

Configuring Dynamic VPN v2.1 (last updated 1/2011) Junos 10.4 and above

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

WEB FILTERING FOR BRANCH SRX SERIES AND J SERIES

CONFIGURATION OPTIONS FOR HARDWARE RULE SEARCH (RMS) AND SOFTWARE RULE SEARCH (SWRS)

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

Network Configuration Example

Concepts & Examples ScreenOS Reference Guide

Limitation of Riverbed s Quality of Service (QoS)

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

BRANCH SRX SERIES SERVICES GATEWAYS GOLDEN CONFIGURATIONS

Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

Identity-Based Traffic Logging and Reporting

Network Configuration Example

Network Configuration Example

JUNOS OS LAN-TO-LAN VPN WITH OVERLAPPING SUBNETS

Understanding and Configuring NAT Tech Note PAN-OS 4.1

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Network Configuration Example

Junos OS. Firewall User Authentication for Security Devices. Release 12.1X44-D10. Published: Copyright 2013, Juniper Networks, Inc.

Network Configuration Example

Firewalls P+S Linux Router & Firewall 2013

Identity-Based Application and Network Profiling

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

- Introduction to Firewalls -

ProteusElite:HowTo Proteus Networks Proteus Elite:HowTo Page 1

Network Configuration Example

Junos OS for EX Series Ethernet Switches

Network Configuration Example

INTEGRATING FIREWALL SERVICES IN THE DATA CENTER NETWORK ARCHITECTURE USING SRX SERIES SERVICES GATEWAY

Overview. Firewall Security. Perimeter Security Devices. Routers

SRX High Availability Design Guide

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

Firewall Filters Feature Guide for EX9200 Switches

1Juniper. 2How Logtrust. works with Juniper? a security network solution for enterprises and service providers.

Technology Overview. Lawful Intercept Using Flow-Tap. Published: Copyright 2014, Juniper Networks, Inc.

Polycom. RealPresence Ready Firewall Traversal Tips

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Junos OS. Layer 2 Bridging and Transparent Mode for Security Devices. Release 12.1X44-D10. Published:

Junos OS. FTP ALG Feature Guide for Security Devices. Release 12.1X46-D10. Published: Copyright 2013, Juniper Networks, Inc.

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Network Configuration Example

J Series / SRX Series Remote Access VPN with XAuth Configuration and Troubleshooting

Junos OS. FTP ALG Feature Guide for Security Devices. Release 12.1X47-D10. Published: Copyright 2014, Juniper Networks, Inc.

- Network Address Translation -

Junos OS. Application Tracking Feature Guide for Security Devices. Release 12.1X46-D10. Published: Copyright 2014, Juniper Networks, Inc.

Network Address Translation (NAT)

Converting SSG 300M-series and SSG 500M-series Security Devices to J-series Services Routers with a USB Storage Device

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Implementing Firewalls inside the Core Data Center Network

Setting up an icap Server for ISG- 1000/2000 AV Support

Creating a VPN with overlapping subnets

After you have created your text file, see Adding a Log Source.

Junos OS. Application Tracking. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

MULTI WAN TECHNICAL OVERVIEW

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

Application Description

Configuring and Deploying the J Series Chassis Cluster Feature

REPLACING THE SSL CERTIFICATE

Junos OS. Firewall Filters Configuration Guide. Release Published: Copyright 2012, Juniper Networks, Inc.

Configuring Network Address Translation (NAT)

Configuring and Implementing A10

Using Multicast Call Admission Control for IPTV Bandwidth Management

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Implementing Firewalls inside the Core Data Center Network

This technical note provides information on how to customize your notifications. This section includes the following topics:

Cisco to Juniper point-to-multipoint IPsec solution - spoke devices migration.

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

COORDINATED THREAT CONTROL

Junos OS. Processing Overview for Security Devices. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

Configuring Dynamic VPN

Check Point Software Technologies LTD. Creating A Generic Service Proxy (GSP) Using Network Address Translation (NAT)

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Junos OS for EX Series Ethernet Switches

LISP Functional Overview

Implementation Guide NEW NETWORK PLATFORM ARCHITECTURE: WAN. Internet Edge

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

Configuring Network Address Translation

Migrating Log Manager to JSA

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Network Configuration Example

How to configure DNAT in order to publish internal services via Internet

Configuring Static and Dynamic NAT Simultaneously

Tuning Guide. Release Juniper Secure Analytics. Juniper Networks, Inc.

Firewall REFERENCE GUIDE. VYATTA, INC. Vyatta System. IPv4 Firewall IPv6 Firewall Zone-Based Firewall. Title

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Transcription:

: Junos NAT Configuration Examples January 2010 Juniper Networks, Inc. 1

Table of Contents Junos NAT Configuration Examples...1 Introduction...3 Requirements...3 Configuration Examples...3 Source NAT...3 Configuring address pools for Source NAT... 4 Configuring source NAT using interface IP... 5 Configuring source NAT using IP pool... 6 Configuring source NAT using multiple rules... 7 Destination NAT...8 Many to many translation... 8 One to many translation... 9 Double NAT... 11 Source and destination translation... 11 Static NAT... 13 Juniper Networks, Inc. 2

Introduction This document explains configuring Network Address Translation (NAT) on J series and SRX services gateway device for use in common network scenarios. The document assumes the reader is familiar with NAT concepts and terminology used on Juniper devices. The examples in this document are supplemental to the examples that are included in the following application notes: TN8 - Configuring Network Address Translation (NAT) TN25 - Configuring Network Address Translation (NAT) on SRX and J Series devices [for ScreenOS Users] Requirements Hardware Juniper Networks J2320, J2350, J4350, and J6350 routers SRX series services gateways Software Junos release 9.5 and later Configuration Examples Based on requests from the field, this application note contains CLI examples for Source NAT, Destination NAT, Double NAT (Source and Destination NAT), and Static NAT. Juniper Networks, Inc. 3

Source NAT Configure Address Pools for Source NAT This section illustrates the configuration to create different types of source NAT pools. The pools created in these examples will be used in the NAT rules of subsequent configuration examples. The entire configuration is performed under the security nat source hierarchy of the Junos CLI. By default, all the source IP pools will have PAT enabled. Source pools without PAT can be configured by disabling PAT on the IP pool. The IP pools are not bound to interface. Proxy ARP must be configured for the device to respond to ARP for the addresses in the IP pool. 1. Configure a source pool with a range of addresses and port translation: set pool src-nat-pool-1 address 192.0.0.1 to 192.0.0.24 2. Configure a source pool with a range of addresses and port translation disabled: set pool src-nat-pool-2 address 192.0.0.100 to 192.0.0.249 set pool src-nat-pool-2 port no-translation 3. Configure a source pool with a range of addresses with port translation disabled using overflow pool. Overflow pools are used as a fallback in the event that source pool without PAT runs out of free IP addresses. Overflow pools can be source IP pools with PAT or interface: set pool src-nat-pool-2 address 192.0.0.100 to 192.0.0.249 set pool src-nat-pool-2 port no-translation set pool src-nat-pool-2 overflow-pool interface 4. Configure a source pool with a single address and port translation: set pool src-nat-pool-3 address 192.0.0.25/32 5. Configure a source pool with a range for both IP address and port numbers: set pool src-nat-pool-4 address 192.0.0.50 to 192.0.0.59 set pool src-nat-pool-4 port range 5000 to 6000 Juniper Networks, Inc. 4

Configure Source NAT using interface IP In this example, all traffic from the trust zone to the untrust zone is translated to the egress interface, ge-0/0/2 interface IP address. Fig1: source NAT using interface IP [edit security nat source] set rule-set rs1 from zone trust set rule-set rs1 to zone untrust set rule-set rs1 rule r1 match source-address 0.0.0.0/0 set rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set rule-set rs1 rule r1 then source-nat interface [edit security policies from-zone trust to-zone untrust] set policy internet-access match source-address any destination-address any application any set policy internet-access then permit Juniper Networks, Inc. 5

Configure Source NAT using IP pool In this example, all traffic from the trust zone to the untrust zone is translated to the source IP pool src nat pool 1. (The source IP pool is defined on page 4.) Fig2: Source NAT using IP pool [edit security nat source] set rule-set rs1 from zone trust set rule-set rs1 to zone untrust set rule-set rs1 rule r1 match source-address 0.0.0.0/0 set rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set rule-set rs1 rule r1 then source-nat src-nat-pool-1 [edit security nat] set proxy-arp interface ge-0/0/2.0 address 192.0.0.1 to 192.0.0.24 [edit security policies from-zone trust to-zone untrust] set policy internet-access match source-address any destination-address any application any set policy internet-access then permit Juniper Networks, Inc. 6

Configure Source NAT using Multiple Rules This example has the following requirements: 1. Traffic from the subnet 10.1.1.0/24 and 10.1.2.0/24 is translated to pool src-nat-pool-1. 2. Traffic from subnet 192.168.1.0/24 is translated to pool src-nat-pool-2. 3. Traffic from the host 192.168.1.250/24 is exempted from source NAT. (The source IP pools are defined on page 4.) Fig 3: Source NAT using multiple rules [edit security nat source] set rule-set rs1 from zone trust set rule-set rs1 to zone untrust set rule-set rs1 rule r1 match source-address [10.1.1.0/24 10.1.2.0/24] set rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 set rule-set rs1 rule r2 match source-address 192.168.1.250/24 set rule-set rs1 rule r2 match destination-address 0.0.0.0/0 set rule-set rs1 rule r2 then source-nat off set rule-set rs1 rule r3 match source-address 192.168.1.0/24 set rule-set rs1 rule r3 match destination-address 0.0.0.0/0 set rule-set rs1 rule r3 then source-nat pool src-nat-pool-2 [edit security nat] set proxy-arp interface ge-0/0/2.0 address 192.0.0.1 to 192.0.0.24 set proxy-arp interface ge-0/0/2.0 address 192.0.0.100 to 192.0.0.249 [edit security policies from-zone trust to-zone untrust] set policy internet-access match source-address any destination-address any application any set policy internet-access then permit Juniper Networks, Inc. 7

Destination NAT Many to many translation This example has the following requirements: 1. Traffic to destination 1.1.1.100 is translated to 192.168.1.100 2. Traffic to destination 1.1.1.101 on port 80 is translated to 192.168.1.200 and port 8000 The real IP address and port numbers of the hosts are configured as the destination IP pool. Proxy ARP must be configured for the device to respond to ARP for the addresses in the IP pool. Fig 4: Destination NAT Many to Many Security policies to permit traffic from untrust zone to trust zone must be created. Since the destination NAT rule-sets are evaluated before a security policy, the addresses referred in the security policy must be the real IP address of the end host. [edit security] set zones security-zone trust address-book address server-1 192.168.1.100/32 set zones security-zone trust address-book address server-2 192.168.1.200/32 [edit security policies from-zone untrust to-zone trust] set policy server-access match source-address any destination-address [server-1 server-2] application any set policy server-access then permit [edit security nat destination] set pool dst-nat-pool-1 address 192.168.1.100 set pool dst-nat-pool-2 address 192.168.1.200 port 8000 set rule-set rs1 from zone untrust set rule-set rs1 rule r1 match destination-address 1.1.1.100 set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 set rule-set rs1 rule r2 match destination-address 1.1.1.101 set rule-set rs1 rule r2 match destination-port 80 set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2 Juniper Networks, Inc. 8

[edit security nat] set proxy-arp interface ge-0/0/2.0 address 1.1.1.100 to 1.1.1.101 One to many translation This example has the following requirements: 1. Traffic to destination 1.1.1.100 on port 80 is translated to 192.168.1.100 and port 80. 2. Traffic to destination 1.1.1.100 on port 8000 is translated to 192.168.1.200 and port 8000. Fig 5: Destination NAT One to many [edit security nat destination] set pool dst-nat-pool-1 address 192.168.1.100 port 80 set pool dst-nat-pool-2 address 192.168.1.200 port 8000 set rule-set rs1 from zone untrust set rule-set rs1 rule r1 match destination-address 1.1.1.100 set rule-set rs1 rule r1 match destination-port 80 set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 set rule-set rs1 rule r2 match destination-address 1.1.1.100 set rule-set rs1 rule r2 match destination-port 8000 set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2 [edit security nat] set proxy-arp interface ge-0/0/2.0 address 1.1.1.100 [edit security] set zones security-zone trust address-book address server-1 192.168.1.100/32 set zones security-zone trust address-book address server-2 192.168.1.200/32 Juniper Networks, Inc. 9

[edit security policies from-zone untrust to-zone trust] set policy server-access match source-address any destination-address [server-1 server-2] application any set policy server-access then permit [edit security] set zones security-zone trust address-book address server-1 192.168.1.100/32 set zones security-zone trust address-book address server-2 192.168.1.200/32 [edit security policies from-zone untrust to-zone trust] set policy server-access match source-address any destination-address [server-1 server-2] application any set policy server-access then permit Juniper Networks, Inc. 10

Double NAT Source and destination translation In this example, the source and destination IP address of the packet is translated. The destination host 10.1.1.100 is accessed by the source 192.168.1.3 using the IP address 1.1.1.100. As the packet traverses the SRX device, both the source and destination IP addresses are translated. (The source IP pools are defined on page 4.) [edit security nat source] set pool src-nat-pool-1 address 1.1.1.10 to 1.1.1.14 set rule-set rs1 from zone trust set rule-set rs1 to zone untrust set rule-set rs1 rule r1 match source-address 0.0.0.0/0 set rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set rule-set rs1 rule r1 then source-nat src-nat-pool-1 [edit security nat destination] set pool dst-nat-pool-1 address 10.1.1.100 set rule-set rs1 from zone trust set rule-set rs1 rule r1 match destination-address 1.1.1.100 set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 [edit security nat] set proxy-arp interface fe-0/0/7.0 address 1.1.1.10 to 1.1.1.14 [edit security policies from-zone trust to-zone untrust] set policy permit-all match source-address any destination-address any application any set policy permit-all then permit The security policy above allows all outbound access from trust zone to untrust zone. As a result the server can be accessed either by its translated or untranslated address. Juniper Networks, Inc. 11

The session table shown below confirms this: The security policy can be modified to allow access to the server only via the translated address. The key word dropuntranslated will drop all traffic to the destination address of 10.1.1.100. This will limit the access to the server using the destination address of 1.1.1.100. [edit security policies from-zone trust to-zone untrust] set policy permit-all match source-address any destination-address any application any set policy permit-all then permit destination-address drop-untranslated Juniper Networks, Inc. 12

Static NAT In this example, host 192.168.1.200 is assigned a static NAT mapping to IP address 1.1.1.200. Any traffic to the destination address of 1.1.1.200 will be translated to 192.168.1.200. Any new sessions originating from host 192.168.1.200 will have the source IP of the packet translated to 1.1.1.200. [edit security nat static] set rule-set rs1 from zone untrust set rule-set rs1 rule r1 match destination-address 1.1.1.200/32 set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32 [edit security nat] set proxy-arp interface fe-0/0/7.0 address 1.1.1.200 [edit security] set zones security-zone trust address-book address server-1 192.168.1.200/32 [edit security policies from-zone untrust to-zone trust] set policy server-access match source-address any destination-address server-1application any set policy server-access then permit [edit security policies from-zone trust to-zone untrust] set policy permit-all match source-address server-1 destination-address any application any set policy permit-all then permit Juniper Networks, Inc. 13

About Juniper Networks Juniper Networks, Inc. is the leader in high performance networking. Juniper offers a high performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high performance businesses. Additional information can be found at www.juniper.net. Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Networks, Inc. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information