What is NAT: Source, Destination, and Static NAT on Juniper (Junos OS)


What is NAT?

NAT is a service that can translate any address to any other address. NAT is needed on current IPv4 networks because of the limitations of public IPv4. Thus, some network segments can only use private IPv4, usually a SOHO network or maybe on a data center (it also possible) because of IPv4 stock limitations.

As we know, all computers in the world (called the internet) are connected to each other should have public IPv4. Your computer can only access the internet and can be accessed from the internet when your computer have public IPv4.

Maybe you will see your laptop or cellphone only have IPv4 private configured. But why they can access the internet? That's because NAT is running on your home router or at your ISP.

What is Source NAT (Src-NAT), Destination NAT (Dst-NAT), and Static-NAT?

I think, these are the keys to distinguish them:
Source-NAT translates the source address.
Destination-NAT translates the destination address.
Static-NAT translates both, the source and the destination address.

Source-NAT

Let's look at an example of source NAT below. There is client that only have IPv4 private, and server that have IPv4 public. Traditionally, the client cannot access internet or accessed from the internet because on the internet, there is no routing table that leads to ipv4 private. So, request traffic from the client might reach the computer on the internet, but response traffic from the computer on the internet cannot reach the client.

The solution for this problem is source NAT. When the client initiates communication to the server. The router will translate the source address 10.1.1.2 to 200.1.1.100. Then create a related session. So, the return traffic from the server (internet) can reach the client.

lab@vSRX> show security flow session 
Session ID: 61, Policy name: default-permit/4, Timeout: 1726, Valid
In: 10.1.1.2/54911 --> 200.1.1.5/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 2077, 
Out: 200.1.1.5/22000 --> 200.1.1.100/54911;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 7, Bytes: 1977,

Wait, are you using ip 200.1.1.100? When return traffic from internet, how do (devices on the internet) find out which device has an IP 200.1.1.100?

Good question! In Juniper, when you configure a NAT with pool-based IP, whether it's source, destination, or static nat. You are required to configure the ARP Proxy. What is Proxy ARP? Proxy ARP allow Junos devices to respond to ARP requests that seek the owner of the IP address resulting from NAT translation (in the example above: 200.1.1.100).

In Juniper Device, Source NAT has two types of address mapping. Namely, interface-based and pool-based.
Interface-based: The source IP address translated to the IP address of the egress interface. PAT is required and enable by default.
Pool-based: The source IP address translated to spesific user-defined pool address. It can be used with or without PAT.

Source NAT on Juniper device also requires a match condition. There are traffic direction and packet information.

First layer is traffic direction. It is required to indicate the directoin of the packet. From where and to where. We can spesify the direction based on interfaces, zones. and routing-instance.

The second layer is packet information. This option can be used to indicate from who to who, and what kind of application. Packet information match criteria should include a source-address or destination-address. Additionally, these can also include source-port, destination-port, and protocol.

But should be noted. Source NAT only translate the source address. I know, maybe you see a destination address translation in the example above, that is, on the router when it receives a return traffic from server to the client (200.1.1.100 transleted to 10.1.1.2). But that happens because there is already a session that translates the source address (10.1.1.2 to 200.1.1.100).

However, the translation of desination address will not occur when the server initiates communication to the client (the server initiates traffic to the client). To do that we need a Destination-NAT, which can translate destination addresses of the first traffic.

Destination-NAT

Destination-NAT also requires match criteria of traffic direction and packet information, same as source-NAT. The difference is in the traffic direction, there is only from option to determine where the traffic is coming from. Also, in the packet information criteria. In destination NAT, all options of packet information criteria (source-address, destination-address, source-port, destination-port, and protocol) are optional, except destination-address. And PAT also available in destination-NAT.

Let's look at an example of destination NAT below. Our case is we only have 1 public IPv4 from the ISP, that is, the IP assigned to the router's outbound interface (200.1.1.1). But we want the web services that are running on a local server to be accessed from the internet. The local server doesn't have IPv4 public.

Destination-NAT can be the solution for this problem. We will translate the http (port 80) traffic destined for 200.1.1.1 to ip 10.1.1.2 port 80. So, when a computer on the internet wants to access our website on a local server. They can access it on 200.1.1.1 port 80.

lab@vSRX> show security flow session    
Session ID: 48, Policy name: default-permit/4, Timeout: 1798, Valid
In: 200.1.1.5/41413 --> 200.1.1.1/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 2077, 
Out: 10.1.1.2/80 --> 200.1.1.5/41413;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 1977, 
Total sessions: 1

With this destination-NAT the source address of return traffic (from local-server to internet) will be automatically translated to ip 200.1.1.1.

But if local-server initiates communication to the internet, the source address will not be translated. If local-server wants to initiate communication to the internet, we need to configure source NAT on the router to translate IP local-server 10.1.1.2 to public IPv4.

Static-NAT

Or we can configure a static NAT. So, the local-server can access to the internet and also can be accessed from the internet. Let's look at an example of Static-NAT below.

Based on the illustration above, we will translate IP 200.1.1.100 to the local-server (10.1.1.2). So, the local-server can access to the internet, and vise versa. Yups, we don't need configure source-NAT and destination-NAT. When we create a static NAT, it will translate the destination address x.x.x.x to y.y.y.y. On the other hand, the vSRX will automatically create a reverse static NAT to translate source-address y.y.y.y to x.x.x.x.

This session shows the destination address translated with static NAT.

lab@vSRX> show security flow session    
Session ID: 50, Policy name: default-permit/4, Timeout: 1798, Valid
In: 200.1.1.5/7777 --> 200.1.1.100/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 2077, 
Out: 10.1.1.2/80 --> 200.1.1.5/7777;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 1977,

This session shows the source address translated with static NAT.

lab@vSRX> show security flow session
Session ID: 53, Policy name: default-permit/4, Timeout: 4, Valid
In: 10.1.1.2/40051 --> 200.1.1.5/22;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, 
Out: 200.1.1.5/22 --> 200.1.1.2/40051;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 

We only need to configure Static-NAT, because when we create a static NAT, it will automatically create a Reverse Static NAT. So, the translation is bidirectional, both source address and destination address. Static-NAT also has one-to-one address mapping characteristics (but PAT is available).

The match criteria (traffic direction and packet information) are required in Static-NAT. Same as Destination-NAT. The destination-address match criteria is mandatory.

On Juniper device (Junos OS), static NAT takes precedence over source and destination NAT.

If you want to see an explanation about NAT in Juniper Device using Bahasa Indonesia. Check out the following video. Penjelasan NAT pada Juniper dalam Bahasa Indonesia, tonton video berikut.

Okay, that's all the explanation about NAT: Source, Destination, and Static NAT. There is one more thing related to NAT, namely PAT (Port Address Translation). See other articles about NAT on Juniper SRX series devices.

Tags: nat, source nat, destination nat, static nat, what is the difference between source and destination nat, what is the difference between source destination nat and static nat, dst nat, src nat, what is difference between src nat dst nat and static nat, nat topology example, what is nat?, how nat works?, juniper static nat, juniper source nat, juniper destination nat, juniper dynamic nat, juniper nat, junos staic nat, junos source nat, junos destination nat, junos nat.

Disqus Comments