Configure Source NAT in Juniper SRX via Command Line


Hi! This is the first part of the NAT configuration lab at Juniper SRX Devices. The plan is we will demonstrate how to configure source NAT, destination NAT, static NAT on Juniper SRX. Therefore, in this first article, I will demonstrate how to configure source nat in Juniper vSRX using the command line interface or CLI.

Our objectif according to the image above. We assume, the vSRX, router, and public-server are on the public network (internet). And Host-1, Host-2, and Host-3 are on the local network. By default, the public network cannot communicate with the local network, because the local network does not have a public IP.

So, we will implement source NAT on the vSRX node. The translated IPs are the IP of the Host-1 and Host-2 segments:

  • 192.168.1.0/24 translated to 11.11.11.0/26 (11.11.11.1 - 11.11.11.63).
  • 192.168.2.0/24 traslated to IP of egress interface (5.5.5.2).

See other articles about NAT on Juniper SRX series devices.

Preconfig

To make sure we start with the same conditions, make sure you have configured the following:

  • Initial Configuration (Hostname, Management, Users, etc)
  • Interface Addressing.
  • Security Zone
  • Routing

For the security we use the default security zone and the default security policies of Juniper vSRX 20.1R1. All local interfaces (ge-0/0/1, ge-0/0/2, and ge-0/0/3) are assigned to the trust zone. Meanwhile, the public interface (ge-0/0/0) is belong to the untrust zone. Traffic from the trust zone to the trust zone is permitted. And traffic from the untrust zone to the trust zone also permitted.

Here are the configuration details for the vSRX node. Yellow color indicate the configuration is set by me (not SRX default).

system {
    host-name vSRX;
    ... ## Default vSRX 20.1R1
}
security {
    .... ## Default vSRX 20.1R1
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
	zones {
	    security-zone trust {
	        tcp-rst;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/1.0;
	            ge-0/0/2.0;
	            ge-0/0/3.0;
	        }
	    }
	    security-zone untrust {
	        screen untrust-screen;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/0.0;
	        }
	    }
	}
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 5.5.5.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
	ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    fxp0{
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 8.8.8.0/24 next-hop 5.5.5.1;
    }
}

And these are the configuration in Router (we use Junos Olive 12.1R1 for router). And on this Router, we don't configure routing to the local networks (private IPv4). We only route to the public network (public IPv4) if needed.

system {
    host-name Router;
    .... ## Default Junos Olive 12.1R1
}                                       
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 5.5.5.1/24;
            }     
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 8.8.8.1/24;
            }
        }
    }
}

In Host-1, Host-2, Host-3, and Public-server, we configure addressing as usual, include default-gateway. Also, there are active SSH service for later testing. Apart from SSH, you can use any application that uses the TCP/UDP protocol. Let's begin to configure!

Pool-based Source-NAT with or without PAT

Create a NAT pool for IP 11.11.11.1 to 11.11.11.62 which we will use for source nat with PAT (first task). I named it "Public-ipv4".

[edit security nat source]
lab@vSRX# set pool "Public-ipv4" address 11.11.11.1 to 11.11.11.62

Then, add a set of rule (I named it "Ge1-NAT") and define the traffic direction by interface (from inteface ge-0/0/1 to ge-0/0/0). BUt, description is optional.

[edit security nat source rule-set Ge1-NAT]
lab@vSRX# set from interface ge-0/0/1
lab@vSRX# set to interface ge-0/0/0

Then, create a Source NAT rule (I named it "Network-1-SrcNAT") and defaine the packet information match criteria. We use source-address 192.168.1.0/24 for match criteria. Description is optional but recomended.

[edit security nat source rule-set Ge1-NAT rule Network-1-SrcNAT]
lab@vSRX# set description "Source-NAT for Host-1 Network"
lab@vSRX# set match source-address 192.168.1.0/24

Define the action for source NAT, we use pool "Public-ipv4" that we have made before.

[edit security nat source rule-set Ge1-NAT rule Network-1-SrcNAT]
lab@vSRX# set then source-nat pool Public-ipv4

Don't forget to configure the Proxy ARP to make Juniper SRX reply ARP requests looking for IP 11.11.11.1 - 11.11.11.62 on the ge-0/0/0 interface.

[edit security nat proxy-arp]
lab@vSRX# set interface ge-0/0/0 address 11.11.11.1 to 11.11.11.62

And commit!

For your information, on the action source NAT. There is option called persistent-nat.

[edit security nat source rule-set Ge1-NAT rule Network-1-SrcNAT]
lab@vSRX# set then source-nat pool Public-ipv4 ?    
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> persistent-nat       Persistent NAT info
  |                    Pipe through a command

The persistent-nat feature to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address (the public IP address and port created by the NAT device closest to the STUN server). Check details on persistent-nat | TechLibrary Juniper.

Okay, let's continue our configuration. Now, we move move to the Router. Because 11.11.11.0 - 11.11.11.62 is not available on Router's routing table. So, we must configure a route to the 11.11.11.0/26.

[edit routing-options static]
lab@Router# set route 11.11.11.0/26 next-hop 5.5.5.2

Now, we check whether Host-1 can communicate with the Public-server.

rizqi@Host-1:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=4.06 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=1.53 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.526/2.790/4.055/1.264 ms

rizqi@Host-1:~$ ssh rizqi@8.8.8.8
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
ECDSA key fingerprint is SHA256:/ddope7DYtQyWdWlREc1X8VEqQp5SM2jbnYOCMAhGAA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '8.8.8.8' (ECDSA) to the list of known hosts.
rizqi@8.8.8.8's password:

As you see, Host-1 can connect to Public-server (8.8.8.8). And a security flow session is created on vSRX. But the port is translated.

lab@vSRX> show security flow session 
Session ID: 8, Policy name: default-permit/4, Timeout: 1794, Valid
  In: 192.168.1.2/36598 --> 8.8.8.8/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 13, Bytes: 2413, 
  Out: 8.8.8.8/22 --> 11.11.11.6/2999;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 2281, 
Total sessions: 1

To disable Port Address Translation in Source-NAT using Pool-based. We can configure our Source NAT Pool: Public-ipv4.

[edit security nat source pool Public-ipv4]
lab@vSRX# set port no-translation 

Check again, try to connect to Public-server from Host-1. And the session will be like this:

lab@vSRX> show security flow session    
Session ID: 10, Policy name: default-permit/4, Timeout: 1798, Valid
  In: 192.168.1.2/36602 --> 8.8.8.8/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 14, Bytes: 2465, 
  Out: 8.8.8.8/22 --> 11.11.11.1/36602;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 2333, 
Total sessions: 1

On a pool based, there is an overflow option. This will be used when all the addresses in the pool are used up. SRX will map to an address on the interface or an address in another pool.


[edit security nat source pool public-ipv4]
lab@vSRX# set overflow-pool ?
Possible completions:
  <pool-name>          Name of source address pool
  interface            Allow interface pool to support overflow

Interface-based Source-NAT with PAT

Now we move to the second task, we will configure a Source-NAT for 192.168.2.0/24 using egress interface. PAT is required and active by default.

Let's create a new rule-set (i.e Ge2-NAT) and specify the entry and exit interfaces.

[edit security nat source rule-set Ge2-NAT]
lab@vSRX# set from interface ge-0/0/2
lab@vSRX# set to interface ge-0/0/0

Then, create a new Source NAT rule in Ge2-NAT rule-set. I named it Network-2-SrcNAT. Description is optional but recomended to use it. Also, create a packet information match criteria. I.e. we will use source-address.

[edit security nat source rule-set Ge2-NAT rule Network-2-SrcNAT]
lab@vSRX# set description "Source-NAT for Host-2 Network using egress interface"
lab@vSRX# set match source-address 192.168.2.0/24

Then, defaine the action.

[edit security nat source rule-set Ge2-NAT rule Network-2-SrcNAT]
lab@vSRX# set then source-nat interface

Now, commit. And see the Host-2 can reach Public-server.

rizqi@Host-2:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=1.73 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=1.39 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.386/1.556/1.727/0.170 ms

rizqi@Host-2:~$ ssh rizqi@8.8.8.8
rizqi@8.8.8.8's password: 

And PAT is also running.

lab@vSRX> show security flow session 
Session ID: 27, Policy name: default-permit/5, Timeout: 1790, Valid
  In: 192.168.2.2/60310 --> 8.8.8.8/22;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 13, Bytes: 2413, 
  Out: 8.8.8.8/22 --> 5.5.5.2/30859;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 2281, 
Total sessions: 1

Soure-NAT only translate the source-address. Thus, the the local networks can access the public networks, but not vice versa.

That is all Source-NAT configuration. We will continue to configure the Destination-NAT and Static-NAT on another posts.

Penjelasan menggunakan bahasa Indonesia tentang cara konfigurasi source NAT di Juniper SRX dalam video berikut:

Tags: Source NAT Juniper SRX, Source NAT Junos SRX, Source NAT Juniper vSRX, Configure Source NAT on Juniper SRX, Configure Pool-based Source NAT in Juniper SRX, Configure Interface-based Source-NAT in Juniper SRX, Configure Pool-based Source NAT without PAT, Configure Pool-based Source NAT with PAT, cara konfigurasi source NAT Juniper SRX, cara konfigurasi source nat vSRX.

Disqus Comments