Documente Academic
Documente Profesional
Documente Cultură
In this post I would like to do some experiment in Advanced NAT topics according to detailed
exam guide here are the details:
1) Given a scenario, describe and implement static, source, destination, and dual NAT
2) Describe and implement variations of persistent NAT
3) Given a scenario, describe the interaction between NAT and security policy
Here is my test topology: JunOS release is 10.4R6.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
match {
source-address 10.1.1.100/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
Once the above NAT rule is accompanied by a security policy like below, traffic should flow if
zone configuration is also correct:
[edit security policies]
root@srx2# show
from-zone trust to-zone w an {
policy pc1-permit {
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
source {
pool pc-pool {
address {
172.16.1.10/32 to 172.16.1.20/32;
}
}
rule-set rs1 {
from zone trust;
to zone wan;
rule rl1 {
match {
source-address 10.1.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
pc-pool;
}
}
}
}
}
}
If the security policy is in place and you try to reach an outside address from PC1, you will
see that there is no connectivity but why? it is because for the pool address we defined srx2
doesnt send any arp-reply because they arent configured in any interface. That is why we must
specifically set proxy arp for this range. Here is the configlet;
[edit security nat proxy-arp]
root@srx2# show
interface ge-0/0/0.0 {
address {
1
2
3
4
5
6
7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Interface
Flags
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/1.0
none
ge-0/0/0.0
none
ge-0/0/0.0
none
When I activated this pool based NAT, I wanted to see how the flow session looks like;
[edit security policies from-zone
root@srx2# run show security
Session ID: 452, Policy name: se
In: 172.16.1.1/60334 --> 172.1
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Out: 83.66.162.3/80 --> 172.16.1.18/31434;tcp, If: ge-0/0/0.0, Pkts: 77, Bytes: 85814
Session ID: 1166, Policy name: pc1-permit/4, Timeout: 1796, Valid
In: 10.1.1.100/1609 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 41, Bytes: 9034
Out: 83.66.162.3/80 --> 172.16.1.18/25220;tcp, If: ge-0/0/0.0, Pkts: 50, Bytes: 53748
Session ID: 1174, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1614 --> 80.239.148.145/80;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 1672
Out: 80.239.148.145/80 --> 172.16.1.18/9468;tcp, If: ge-0/0/0.0, Pkts: 9, Bytes: 1794
Session ID: 1175, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1615 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 115, Bytes: 26194
Out: 83.66.162.3/80 --> 172.16.1.18/1705;tcp, If: ge-0/0/0.0, Pkts: 178, Bytes: 198603
Session ID: 1177, Policy name: pc1-permit/4, Timeout: 1794, Valid
In: 10.1.1.100/1617 --> 83.66.162.3/80;tcp, If: ge-0/0/1.0, Pkts: 121, Bytes: 30372
Out: 83.66.162.3/80 --> 172.16.1.18/25670;tcp, If: ge-0/0/0.0, Pkts: 170, Bytes: 184161
Session ID: 1184, Policy name: pc1-permit/4, Timeout: 1790, Valid
In: 10.1.1.100/1621 --> 2.16.107.55/80;tcp, If: ge-0/0/1.0, Pkts: 8, Bytes: 1906
Out: 2.16.107.55/80 --> 172.16.1.18/3155;tcp, If: ge-0/0/0.0, Pkts: 8, Bytes: 1273
Session ID: 1189, Policy name: pc1-permit/4, Timeout: 1790, Valid
In: 10.1.1.100/1623 --> 2.16.85.55/80;tcp, If: ge-0/0/1.0, Pkts: 7, Bytes: 926
Out: 2.16.85.55/80 --> 172.16.1.18/25124;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 1780
Do you see the difference? We stick to one address by using persistent address feature.
b) Destination NAT
According to our diagram we have a web server behind srx2 . What we want to do is to NAT
packets sent to 172.16.1.30 IP address and port 80 to the internal IP address 10.1.1.101 of web
server. Lets do it:
[edit security nat destination]
root@srx2# show
pool w eb-server {
address 10.1.1.101/32 port 8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rule rl1 {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.30/32;
destination-port 80;
}
then {
destination-nat pool web-server;
}
}
}
[edit security zones security-zo
root@srx2# show
address pc1 10.1.1.100/32;
address w eb-server 10.1.1.101
1
2
3
4
1
2
3
4
5
6
7
8
1
2
3
4
5
6
7
8
9
10
11
12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
</p>
<hr>
<address>Apache/2.2.17 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>
Connection closed by foreign host
Now everything seems to work
c) STATIC NAT
As the name implies, we statically map addresses from one zone to another. If we take FTP
server in our diagram, we would like to translate all requests to 172.16.1.31 to inside address
10.1.1.102 without any port consideration. Here is how to do it:
First static nat configuration:
[edit security nat static]
root@srx2# show
rule-set rs1 {
from zone w an;
1
2
3
4
5
6
7
8
9
10
11
12
13
1
2
3
4
5
6
7
8
9
10
}
then {
permit;
}
Proxy arp setting for 172.16.1.31:
#set security nat proxy-arp interface ge-0/0/0.0 address 172.16.1.31/32
Address book entry for new FTP server:
[edit security zones security-zo
root@srx2# show address-boo
address pc1 10.1.1.100/32;
address w eb-server 10.1.1.101
1
2
3
4
5
1
2
3
4