JNCIP SEC 3 Advanced NAT

In this post I would like to do some experiment in Advanced NAT topics according to detailed
exam guide here are the details:
1) Given a scenario, describe and implement static, source, destination, and dual NAT
2) Describe and implement variations of persistent NAT
3) Given a scenario, describe the interaction between NAT and security policy
Here is my test topology: JunOS release is 10.4R6.5

1) SOURCE,DESTINATION,STATIC and DUAL(double) NAT

a) SOURCE NAT
a.1) Interface Source NAT of PC1
First define criteria of NAT paramaters. The commands below will source nat IP address
10.1.1.100 to interface address of the exit interface if the packet is coming from zone trust and
destined to any IP in zone wan
[edit security nat source]
root@srx2# show
rule-set rs1 {
from zone trust;

1
2
3
4
5
6

[edit security nat source]

root@srx2# show
rule-set rs1 {
from zone trust;
to zone wan;
rule rl1 {

7
8
9
10
11
12
13
14
15
16
17

match {
source-address 10.1.1.100/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
Once the above NAT rule is accompanied by a security policy like below, traffic should flow if
zone configuration is also correct:
[edit security policies]
root@srx2# show
from-zone trust to-zone w an {
policy pc1-permit {

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[edit security policies]

root@srx2# show
from-zone trust to-zone wan {
policy pc1-permit {
match {
source-address pc1;
destination-address any;
application any;
}
then {
permit;
}
}
}
a.2) Source NAT of PC1 by using pool:
If you want to set a pool of IP addresses here is a snippet;
[edit security nat]
root@srx2# show
source {
pool pc-pool {

1
2

[edit security nat]

root@srx2# show

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

source {
pool pc-pool {
address {
172.16.1.10/32 to 172.16.1.20/32;
}
}
rule-set rs1 {
from zone trust;
to zone wan;
rule rl1 {
match {
source-address 10.1.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
pc-pool;
}
}
}
}
}
}
If the security policy is in place and you try to reach an outside address from PC1, you will
see that there is no connectivity but why? it is because for the pool address we defined srx2
doesnt send any arp-reply because they arent configured in any interface. That is why we must
specifically set proxy arp for this range. Here is the configlet;
[edit security nat proxy-arp]
root@srx2# show
interface ge-0/0/0.0 {
address {

1
2
3
4
5
6
7

[edit security nat proxy-arp]

root@srx2# show
interface ge-0/0/0.0 {
address {
172.16.1.10/32 to 172.16.1.20/32;
}
}
When you commit this change, you will see the following populated arp table in SRX1
You see all the IP addresses in this range are now available.

root@srx1> show arp

MAC Address
Address
78:19:f7:aa:d0:80 172.16.1.2
78:19:f7:aa:d0:80 172.16.1.10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

root@srx1> show arp

MAC Address
Address
Name
78:19:f7:aa:d0:80 172.16.1.2
172.16.1.2
78:19:f7:aa:d0:80 172.16.1.10 172.16.1.10
78:19:f7:aa:d0:80 172.16.1.11 172.16.1.11
78:19:f7:aa:d0:80 172.16.1.12 172.16.1.12
78:19:f7:aa:d0:80 172.16.1.13 172.16.1.13
78:19:f7:aa:d0:80 172.16.1.14 172.16.1.14
78:19:f7:aa:d0:80 172.16.1.15 172.16.1.15
78:19:f7:aa:d0:80 172.16.1.16 172.16.1.16
78:19:f7:aa:d0:80 172.16.1.17 172.16.1.17
78:19:f7:aa:d0:80 172.16.1.18 172.16.1.18
78:19:f7:aa:d0:80 172.16.1.19 172.16.1.19
78:19:f7:aa:d0:80 172.16.1.20 172.16.1.20
00:26:5a:9a:48:c6 192.168.0.1 192.168.0.1
f0:de:f1:0c:9b:c4 192.168.0.105 192.168.0.105
Total entries: 14

Interface
Flags
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/0.0
none
ge-0/0/0.0
none

When I activated this pool based NAT, I wanted to see how the flow session looks like;
[edit security policies from-zone
root@srx2# run show security
Session ID: 452, Policy name: se
In: 172.16.1.1/60334 --> 172.1

1 [edit security policies from-zone trust to-zone wan]

2 root@srx2# run show security flow session
3 Session ID: 452, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
4 In: 172.16.1.1/60334 --> 172.16.1.2/22;tcp, If: ge-0/0/0.0, Pkts: 1316, Bytes: 102840
5 Out: 172.16.1.2/22 --> 172.16.1.1/60334;tcp, If: .local..0, Pkts: 1138, Bytes: 151209
6
7 Session ID: 632, Policy name: pc1-permit/4, Timeout: 16, Valid
8 In: 10.1.1.100/47905 --> 77.72.169.135/11113;udp, If: ge-0/0/1.0, Pkts: 87, Bytes: 5823
9 Out: 77.72.169.135/11113 --> 172.16.1.13/16590;udp, If: ge-0/0/0.0, Pkts: 87, Bytes: 13864
10
11 Session ID: 979, Policy name: pc1-permit/4, Timeout: 1800, Valid
12 In: 10.1.1.100/1481 --> 213.136.29.196/80;tcp, If: ge-0/0/1.0, Pkts: 24554, Bytes: 1007010
13 Out: 213.136.29.196/80 --> 172.16.1.18/4006;tcp, If: ge-0/0/0.0, Pkts: 47029, Bytes:
14 61028108
15

Session ID: 991, Policy name: pc1-permit/4, Timeout: 1800, Valid

16 In: 10.1.1.100/1492 --> 80.239.148.176/80;tcp, If: ge-0/0/1.0, Pkts: 18482, Bytes: 758696
17 Out: 80.239.148.176/80 --> 172.16.1.17/22131;tcp, If: ge-0/0/0.0, Pkts: 35122, Bytes:
18 45656092
19
20 Session ID: 1015, Policy name: pc1-permit/4, Timeout: 1772, Valid
21 In: 10.1.1.100/1521 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 55, Bytes: 8639
22 Out: 74.125.79.104/80 --> 172.16.1.16/27078;tcp, If: ge-0/0/0.0, Pkts: 92, Bytes: 93979
23
24 Session ID: 1016, Policy name: pc1-permit/4, Timeout: 1772, Valid
25 In: 10.1.1.100/1522 --> 74.125.79.104/80;tcp, If: ge-0/0/1.0, Pkts: 60, Bytes: 5415
26 Out: 74.125.79.104/80 --> 172.16.1.15/14051;tcp, If: ge-0/0/0.0, Pkts: 96, Bytes: 119546
27
28 Session ID: 1018, Policy name: pc1-permit/4, Timeout: 1758, Valid
29 In: 10.1.1.100/1523 --> 74.125.79.132/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 1115
30 Out: 74.125.79.132/80 --> 172.16.1.13/7994;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 5383
31
32 Session ID: 1020, Policy name: pc1-permit/4, Timeout: 1762, Valid
33 In: 10.1.1.100/1524 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 9, Bytes: 3384
34 Out: 74.125.79.101/80 --> 172.16.1.11/16286;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1897
35
36 Session ID: 1021, Policy name: pc1-permit/4, Timeout: 1766, Valid
37 In: 10.1.1.100/1525 --> 74.125.79.101/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 3510
38 Out: 74.125.79.101/80 --> 172.16.1.10/9906;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 2284
39
40 Session ID: 1033, Policy name: pc1-permit/4, Timeout: 1800, Valid
41 In: 10.1.1.100/1536 --> 91.217.235.93/80;tcp, If: ge-0/0/1.0, Pkts: 1243, Bytes: 53022
42 Out: 91.217.235.93/80 --> 172.16.1.20/8280;tcp, If: ge-0/0/0.0, Pkts: 2218, Bytes: 2880892
Total sessions: 10
During this test I started an ubuntu linux ISO download from ubuntu.com and some other traffic.
Can you see how many different IP addresses I am using from a single PC? This may be
something not desired depending on the requirements. You may want to have persistence so that
one source IP will stick to a single outside IP address. If you set this like below;
root@srx2#set security nat source address-persistent
Your flow sessions will be something like this;
root@srx2> show security flow
Session ID: 1165, Policy name: p
In: 10.1.1.100/1608 --> 83.66.1
Out: 83.66.162.3/80 --> 172.16

1 root@srx2> show security flow session application http

2 Session ID: 1165, Policy name: pc1-permit/4, Timeout: 1796, Valid
3 In: 10.1.1.100/1608 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 56, Bytes: 9312

4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Out: 83.66.162.3/80 --> 172.16.1.18/31434;tcp, If: ge-0/0/0.0, Pkts: 77, Bytes: 85814
Session ID: 1166, Policy name: pc1-permit/4, Timeout: 1796, Valid
In: 10.1.1.100/1609 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 41, Bytes: 9034
Out: 83.66.162.3/80 --> 172.16.1.18/25220;tcp, If: ge-0/0/0.0, Pkts: 50, Bytes: 53748
Session ID: 1174, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1614 --> 80.239.148.145/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 1672
Out: 80.239.148.145/80 --> 172.16.1.18/9468;tcp, If: ge-0/0/0.0, Pkts: 9, Bytes: 1794
Session ID: 1175, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1615 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 115, Bytes: 26194
Out: 83.66.162.3/80 --> 172.16.1.18/1705;tcp, If: ge-0/0/0.0, Pkts: 178, Bytes: 198603
Session ID: 1177, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1617 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 121, Bytes: 30372
Out: 83.66.162.3/80 --> 172.16.1.18/25670;tcp, If: ge-0/0/0.0, Pkts: 170, Bytes: 184161
Session ID: 1184, Policy name: pc1-permit/4, Timeout: 1790, Valid
In: 10.1.1.100/1621 --> 2.16.107.55/80;tcp, If: ge-0/0/1.0, Pkts: 8, Bytes: 1906
Out: 2.16.107.55/80 --> 172.16.1.18/3155;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 1273
Session ID: 1189, Policy name: pc1-permit/4, Timeout: 1790, Valid
In: 10.1.1.100/1623 --> 2.16.85.55/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 926
Out: 2.16.85.55/80 --> 172.16.1.18/25124;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1780
Do you see the difference? We stick to one address by using persistent address feature.
b) Destination NAT
According to our diagram we have a web server behind srx2 . What we want to do is to NAT
packets sent to 172.16.1.30 IP address and port 80 to the internal IP address 10.1.1.101 of web
server. Lets do it:
[edit security nat destination]
root@srx2# show
pool w eb-server {
address 10.1.1.101/32 port 8

1
2
3
4
5
6
7

[edit security nat destination]

root@srx2# show
pool web-server {
address 10.1.1.101/32 port 80;
}
rule-set rs1 {
from zone wan;

8
9
10
11
12
13
14
15
16
17
18

rule rl1 {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.30/32;
destination-port 80;
}
then {
destination-nat pool web-server;
}
}
}
[edit security zones security-zo
root@srx2# show
address pc1 10.1.1.100/32;
address w eb-server 10.1.1.101

1
2
3
4

[edit security zones security-zone trust address-book]

root@srx2# show
address pc1 10.1.1.100/32;
address web-server 10.1.1.101/32;
This destination nat rule says: If any packet comes from zone wan with any source address for
destination 172.16.1.30 and port 80, translate destination IP address to the address in the webserver pool but this configlet isnt sufficient for DNAT to work. We should also add 172.16.1.30
into proxy-arp settings, because srx1 doesnt reply to arp-requests for this IP address.
[edit security nat]
root@srx2# show proxy-arp
interface ge-0/0/0.0 {
address {

1
2
3
4
5
6
7
8

[edit security nat]

root@srx2# show proxy-arp
interface ge-0/0/0.0 {
address {
172.16.1.10/32 to 172.16.1.20/32;
172.16.1.30/32;
}
}
This is still not sufficient. We should also add policy to allow this particular traffic:

[edit security policies from-zone

root@srx2# show
policy w eb-server-80 {
match {

1
2
3
4
5
6
7
8
9
10
11
12

[edit security policies from-zone wan to-zone trust]

root@srx2# show
policy web-server-80 {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
}
}
Now everything should be ok lets try to telnet to 172.16.1.30 port 80 from srx1
root@srx1% telnet 172.16.1.30
Trying 172.16.1.30...
Connected to 172.16.1.30.
Escape character is '^]'.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

root@srx1% telnet 172.16.1.30 80

Trying 172.16.1.30...
Connected to 172.16.1.30.
Escape character is '^]'.
GET /index.html HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Tue, 06 Sep 2011 19:58:19 GMT
Server: Apache/2.2.17 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />

21
22
23
24
25

</p>
<hr>
<address>Apache/2.2.17 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>
Connection closed by foreign host
Now everything seems to work
c) STATIC NAT
As the name implies, we statically map addresses from one zone to another. If we take FTP
server in our diagram, we would like to translate all requests to 172.16.1.31 to inside address
10.1.1.102 without any port consideration. Here is how to do it:
First static nat configuration:
[edit security nat static]
root@srx2# show
rule-set rs1 {
from zone w an;

1
2
3
4
5
6
7
8
9
10
11
12
13

[edit security nat static]

root@srx2# show
rule-set rs1 {
from zone wan;
rule rl1 {
match {
destination-address 172.16.1.31/32;
}
then {
static-nat prefix 10.1.1.102/32;
}
}
}
Second security policy for this traffic:
[edit security policies from-zone
root@srx2# show policy ftp-se
match {
source-address any;

1
2
3
4
5
6

[edit security policies from-zone wan to-zone trust]

root@srx2# show policy ftp-server
match {
source-address any;
destination-address ftp-server;
application junos-ftp;

7
8
9
10

}
then {
permit;
}
Proxy arp setting for 172.16.1.31:
#set security nat proxy-arp interface ge-0/0/0.0 address 172.16.1.31/32
Address book entry for new FTP server:
[edit security zones security-zo
root@srx2# show address-boo
address pc1 10.1.1.100/32;
address w eb-server 10.1.1.101

1
2
3
4
5

[edit security zones security-zone trust]

root@srx2# show address-book
address pc1 10.1.1.100/32;
address web-server 10.1.1.101/32;
address ftp-server 10.1.1.102/32;
Lets try from srx2 an ftp connection:
root@srx1% ftp 172.16.1.31
Connected to 172.16.1.31.
220 ProFTPD 1.3.3d Server (De
Name (172.16.1.31:root):

1
2
3
4

root@srx1% ftp 172.16.1.31

Connected to 172.16.1.31.
220 ProFTPD 1.3.3d Server (Debian) [::ffff:10.1.1.102]
Name (172.16.1.31:root):