Configure Destination NAT in Juniper SRX via Command Line


This is the second part of the NAT configuration lab at Juniper SRX Devices. Previously, we have shown how to configure source NAT on Juniper SRX. And now, we will configure destination NAT.

We will implement destination NAT on the vSRX node. So, Host-1 and Host-2 can be accessed from the public networks. The translated IPs are the IP of the Host-1 and Host-2 segments:

  • 5.5.5.10 translated to 192.168.1.2
  • 5.5.5.2 port 4444 traslated to 192.168.1.2 port 22.

See other articles about NAT on Juniper SRX series devices.

Preconfig

To make sure we start with the same conditions, make sure you have configured the following:

  • Initial Configuration (Hostname, Management, Users, etc)
  • Interface Addressing.
  • Security Zone
  • Routing

For the security we use the default security zone and the default security policies of Juniper vSRX 20.1R1. All local interfaces (ge-0/0/1, ge-0/0/2, and ge-0/0/3) are assigned to the trust zone. Meanwhile, the public interface (ge-0/0/0) is belong to the untrust zone. Traffic from the trust zone to the trust zone is permitted. And traffic from the untrust zone to the trust zone also permitted.

Here are the configuration details for the vSRX node. Yellow color indicate the configuration is set by me (not SRX default).

system {
    host-name vSRX;
    ... ## Default vSRX 20.1R1
}
security {
    .... ## Default vSRX 20.1R1
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
	zones {
	    security-zone trust {
	        tcp-rst;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/1.0;
	            ge-0/0/2.0;
	            ge-0/0/3.0;
	        }
	    }
	    security-zone untrust {
	        screen untrust-screen;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/0.0;
	        }
	    }
	}
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 5.5.5.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
	ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    fxp0{
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 8.8.8.0/24 next-hop 5.5.5.1;
    }
}

And these are the configuration in Router (we use Junos Olive 12.1R1 for router). And on this Router, we don't configure routing to the local networks (private IPv4). We only route to the public network (public IPv4) if needed.

system {
    host-name Router;
    .... ## Default Junos Olive 12.1R1
}                                       
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 5.5.5.1/24;
            }     
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 8.8.8.1/24;
            }
        }
    }
}

If you have previously configured source NAT on vSRX, no problem, continue to this part 2, destination NAT. Yesterday's source NAT configuration had no effect on this destination NAT.

In Host-1, Host-2, Host-3, and Public-server, we configure addressing as usual, include default-gateway. Also, there are active SSH service for later testing. Apart from SSH, you can use any application that uses the TCP/UDP protocol. Let's begin to configure!

Configure Destination NAT without PAT

Fisrt, create a destination NAT pool address for 192.168.1.2, I named it "Host-1".

[edit security nat destination]
lab@vSRX# set pool Host-1 address 192.168.1.2

Then, create a rule-set of destination NAT, I named it DstNAT-to-TrustZone. And set the traffic direction match criteria. On destination NAT, we only use from option. In this example, we will use zone as the from option criteria.

[edit security nat destination rule-set DstNAT-to-TrustZone]
lab@vSRX# set from zone untrust

After that, create a destination NAT rule inside the DstNAT-to-TrustZone rule-set. I named it "to-Host1". Then, define the packet information match criteria. Use 5.5.5.10 as destination-address. Then, define the destination-nat action to Host-1 pool.

[edit security nat destination rule-set DstNAT-to-TrustZone rule to-Host1]
lab@vSRX# set match destination-address 5.5.5.10
lab@vSRX# set then destination-nat pool Host-1

Almost done. Last step is configuring a proxy ARP. Because IP 5.5.5.10 is not assign on vSRX. It will make Juniper SRX reply ARP requests looking for IP 5.5.5.10.

[edit security nat proxy-arp]
lab@vSRX# set interface ge-0/0/0 address 5.5.5.10 

That is it. Now check the connection from Public-server to Host-1 using IP 5.5.5.10. It's connected.

root@Public-server:~# ping 5.5.5.10
PING 5.5.5.10 (5.5.5.10) 56(84) bytes of data.
64 bytes from 5.5.5.10: icmp_seq=1 ttl=62 time=1.81 ms
64 bytes from 5.5.5.10: icmp_seq=2 ttl=62 time=1.40 ms
^C
--- 5.5.5.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.401/1.607/1.813/0.206 ms
root@Public-server:~# ssh rizqi@5.5.5.10
rizqi@5.5.5.10's password: 

lab@vSRX> show security flow session    
Session ID: 90, Policy name: default-permit/6, Timeout: 1798, Valid
  In: 8.8.8.8/56844 --> 5.5.5.10/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 14, Bytes: 2465, 
  Out: 192.168.1.2/22 --> 8.8.8.8/56844;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 13, Bytes: 2385, 
Total sessions: 1

Configure Destination NAT with PAT

Now we will implement a destination NAT with spesific port only. we will divert traffic destined for vSRX from the public network. The traffic has a destination-address 5.5.5.2, port 4444. We will divert it to 192.168.2.2 port 22. So, Host-2's SSH is accessible from the public networks. Only ssh (port 22).

First, create a pool for Host-2's IP address 192.168.2.2 port 22. I named it "Host-2".

[edit security nat destination]
lab@vSRX# set pool Host-2 address 192.168.2.2 port 22

Because the packet direction still from public networks (untrust zone). We just create a destination-nat rule inside the DstNAT-to-TrustZone rule-set. I named the rule as "to-SSH-Host2". Then define the packet information match criteria.

[edit security nat destination rule-set DstNAT-to-TrustZone rule to-SSH-Host2]
lab@vSRX# set match destination-address 5.5.5.2
lab@vSRX# set match protocol tcp
lab@vSRX# set match destination-port 22

Then, define the action to Host-2 pool.

[edit security nat destination rule-set DstNAT-to-TrustZone rule to-SSH-Host2]
lab@vSRX# set then destination-nat pool Host-2

Because 5.5.5.2 is address of vSRX. So, we don't need to configure proxy ARP. Now, commit the configuration changes. Then, check access SSH from public-server to 5.5.5.2 port 4444. It should be working and connected to Host-2's SSH service.

root@Public-server:~# ssh rizqi@5.5.5.2 -p 4444
rizqi@5.5.5.2's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-39-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Aug  9 04:45:31 UTC 2020

  System load:  0.0                Processes:             111
  Usage of /:   25.7% of 19.07GB   Users logged in:       1
  Memory usage: 51%                IPv4 address for ens4: 192.168.2.2
  Swap usage:   0%


0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug  9 04:45:24 2020 from 8.8.8.8
rizqi@Host-2:~$ 

lab@vSRX> show security flow session 
Session ID: 88, Policy name: default-permit/6, Timeout: 1786, Valid
  In: 8.8.8.8/50528 --> 5.5.5.2/4444;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 31, Bytes: 4157, 
  Out: 192.168.2.2/22 --> 8.8.8.8/50528;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 28, Bytes: 5109, 
Total sessions: 1

That's all Destination-NAT configuration. Remember, Destination-NAT only translates destination-address. So, if you don't configure source-nat yet. The local network still cannot access the public network. Although, they are accessible from the public network.

If you want the local network can access the public network and vise versa. You must configure both, source and destination NAT. Or you can configure a static NAT. We will continue to configure the Static-NAT on another posts.

Penjelasan menggunakan bahasa Indonesia tentang cara konfigurasi destination NAT di Juniper SRX dalam video berikut:

How to reorder NAT rules on Juniper SRX

As additional information, in a NAT there may be several rule-sets, in a rule-set there may be several nat rules. Keep in mind that both NAT rule-set and NAT rules are matched one by one from the top to the bottom. So it is important that we should order the rules correctly. Or our NAT won't work.

If you need to reorder the rules, you can use insert command. Our NAT configuration example above has only 2 rules and their order has no effect. But, I'll show you another example here.

In this case, we want all types of traffic destined to 206.0.2.2 redirect to DMZ-Host. But if the arrangement of our rules is like this, then the traffic to 206.0.2.2 will be redirected to Local-server, instead of DMZ-Host.

[edit security nat destination rule-set Dstnat-Group]
user@Juniper# show 
from zone trust;
rule rule1 {
    match {
        destination-address 206.0.2.2/32;
    }
    then {
        destination-nat {
            pool {
                Local-server;
            }
        }
    }
}
rule rule2 {
    match {
        destination-address 206.0.2.2/32;
    }
    then {
        destination-nat {
            pool {                      
                DMZ-Host;                 
            }                           
        }                               
    }                                   
}

To fix it, we can move rule2 over rule1. I know removing rule1 is better, but this is just an example. Hehe.

[edit security nat destination rule-set Dstnat-Group]
user@Juniper# insert rule rule2 before rule1
or ...
[edit security nat destination rule-set Dstnat-Group]
user@Juniper# insert rule rule1 after rule2

Now, our rules sequence looks like, and any traffic having destination-address 206.0.2.2 will be redirected to DMZ-Host.

[edit security nat destination rule-set Dstnat-Group]
user@Juniper# show 
from zone untrust;
rule rule2 {
    match {
        destination-address 206.0.2.2/32;
    }
    then {
        destination-nat {
            pool {                      
                DMZ-Host;                 
            }                           
        }                               
    }                                   
}
rule rule1 {
    match {
        destination-address 206.0.2.2/32;
    }
    then {
        destination-nat {
            pool {
                Local-server;
            }
        }
    }
}

Tags: Destination NAT Juniper SRX, Destination NAT Junos SRX, Destination NAT Juniper vSRX, Configure Destination NAT on Juniper SRX, Configure Pool-based Destination NAT in Juniper SRX, Configure Pool-based Destination NAT without PAT, Configure Pool-based Destination NAT with PAT, cara konfigurasi Destination NAT Juniper SRX, cara konfigurasi Destination nat vSRX, Redirect traffic on Juniper vSRX, Divert traffic on Juniper vSRX.

Disqus Comments