Configure Static NAT in Juniper SRX via Command Line


This is the last part of the NAT configuration lab at Juniper SRX Devices. Previously, we have shown how to configure source NAT and destination NAT on Juniper SRX devices. Source NAT only translates the source-address and destination NAT translates only destination-address. Meanwhile, static NAT translates both, source-address and destination-address.

When we create a static NAT, it will translate the destination address x.x.x.x to y.y.y.y. On the other hand, vSRX will automatically create a reverse static NAT to translate source-address y.y.y.y to x.x.x.x.

We will implement static NAT on the vSRX node. It will make Host-3 can access the public networks and also can be accessed from public networks with IP 5.5.5.5.

See other articles about NAT on Juniper SRX series devices.

Preconfig

To make sure we start with the same conditions, make sure you have configured the following:

  • Initial Configuration (Hostname, Management, Users, etc)
  • Interface Addressing.
  • Security Zone
  • Routing

For the security we use the default security zone and the default security policies of Juniper vSRX 20.1R1. All local interfaces (ge-0/0/1, ge-0/0/2, and ge-0/0/3) are assigned to the trust zone. Meanwhile, the public interface (ge-0/0/0) is belong to the untrust zone. Traffic from the trust zone to the trust zone is permitted. And traffic from the untrust zone to the trust zone also permitted.

Here are the configuration details for the vSRX node. Yellow color indicate the configuration is set by me (not SRX default).

system {
    host-name vSRX;
    ... ## Default vSRX 20.1R1
}
security {
    .... ## Default vSRX 20.1R1
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
	zones {
	    security-zone trust {
	        tcp-rst;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/1.0;
	            ge-0/0/2.0;
	            ge-0/0/3.0;
	        }
	    }
	    security-zone untrust {
	        screen untrust-screen;
	        host-inbound-traffic {
	            system-services {
	                all;
	            }
	        }
	        interfaces {
	            ge-0/0/0.0;
	        }
	    }
	}
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 5.5.5.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
	ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    fxp0{
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 8.8.8.0/24 next-hop 5.5.5.1;
    }
}

And these are the configuration in Router (we use Junos Olive 12.1R1 for router). And on this Router, we don't configure routing to the local networks (private IPv4). We only route to the public network (public IPv4) if needed.

system {
    host-name Router;
    .... ## Default Junos Olive 12.1R1
}                                       
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 5.5.5.1/24;
            }     
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 8.8.8.1/24;
            }
        }
    }
}

If you have previously configured source or/and destination NAT on vSRX, no problem. Just continue to this part 3, static NAT. Yesterday's source and destination NAT configuration had no effect on this static NAT.

In Host-1, Host-2, Host-3, and Public-server, we configure addressing as usual, include default-gateway. Also, there are active SSH service for later testing. Apart from SSH, you can use any application that uses the TCP/UDP protocol. Let's begin to configure!

Configure Static NAT

Create a Static NAT rule-set, I named it "Static-group". And define the from option.

[edit security nat static rule-set Static-group]
lab@vSRX# set from zone untrust 

Create a NAT rule inside the Static-group rule-set, I named it "Host3-NAT". And define the packet information match criteria and the action.

[edit security nat static rule-set Static-group rule Host3-NAT]
lab@vSRX# set match destination-address 5.5.5.5
lab@vSRX# set then static-nat prefix 192.168.3.2

Don't forget to configure a Proxy ARP because IP address 5.5.5.5 isn't assigned to vSRX interfaces.

[edit security nat]
lab@vSRX# set proxy-arp interface ge-0/0/0 address 5.5.5.5

And commit changes!

Let's check. Now, Host-3 can access the public networks.

rizqi@Host-3:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=1.11 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=1.43 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.106/1.265/1.425/0.159 ms
rizqi@Host-3:~$ ssh rizqi@8.8.8.8
rizqi@8.8.8.8's password: 

And vise versa, public networks can access the Host-3 using address 5.5.5.5.

root@Public-server:~# ping 5.5.5.5
PING 5.5.5.5 (5.5.5.5) 56(84) bytes of data.
64 bytes from 5.5.5.5: icmp_seq=1 ttl=62 time=1.37 ms
64 bytes from 5.5.5.5: icmp_seq=2 ttl=62 time=1.39 ms
^C
--- 5.5.5.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.367/1.376/1.385/0.009 ms
root@Public-server:~# ssh rizqi@5.5.5.5
rizqi@5.5.5.5's password: 

This is the session, of both traffic.

lab@vSRX> show security flow session 
Session ID: 111, Policy name: default-permit/5, Timeout: 1630, Valid
  In: 192.168.3.2/55724 --> 8.8.8.8/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 15, Bytes: 2517, 
  Out: 8.8.8.8/22 --> 5.5.5.5/55724;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 2385, 

Session ID: 117, Policy name: default-permit/6, Timeout: 1712, Valid
  In: 8.8.8.8/45194 --> 5.5.5.5/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 14, Bytes: 2465, 
  Out: 192.168.3.2/22 --> 8.8.8.8/45194;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 19, Bytes: 4321, 
Total sessions: 2

That's all static NAT configuration on Juniper vSRX.

Pembahasan static NAT di Juniper SRX dalam bahasa indonesia silakan simak video berikut.

OK, this article ends our session about NAT on Juniper SRX Devices. Next, we will discuss about IPSec VPN on Juniper SRX. Good luck and see you next time!

Disqus Comments