JNCIS-SEC Lab – Interface NAT on the SRX

In this NAT configuration example I will be configuring Interface Network Adress Translation on the Juniper SRX, which will translate the source address of the original packets to the external interface addresss of the SRX.

This is the topology I will be using for all NAT configurations.

SRX NAT topology

These are the requirements for the configuration:

  • Traffic from the hosts in range 10.0.200.0/24
  • Destined to the untrust zone (the internet)
  • will be SNAT’ed to external interface IP of 1.1.1.1/32

First, I will configure an address book object for the network range.

[edit security zones security-zone trust]
root@NP-vSRX-01# set address-book address Net-10.0.200.0-24 10.0.200.0/24

And configure a security policy that allows http, https and dns-udp to the internet (any).

[edit security policies from-zone trust to-zone untrust policy FW-PermitWeb]
root@NP-vSRX-01# show
match {
    source-address Net-10.0.200.0-24;
    destination-address any;
    application [ junos-http junos-https junos-dns-udp ];
}
then {
    permit;
    log {
        session-close;
    }
}

To define the source NAT, I will first create a rule set that is specific for this zone pair.

Note – Rule-sets are where you will group different NAT rules based on traffic direction. You can match on interface, zone and routing-instance, as displayed below. When two rule-sets match for a particular traffic flow, the most specific one will be preferred, with interface being the most specific, then zones and finally routing-instances.

[edit security nat source rule-set NAT-Trust-to-Internet]
root@NP-vSRX-01# set from ?
Possible completions:
+ interface            Source interface list
+ routing-instance     Source routing instance list
+ zone                 Source zone list

The rule-set for this zone pair:

[edit security nat source]
root@NP-vSRX-01# show
rule-set NAT-Trust-to-Internet {
    from zone trust;
    to zone untrust;
}

And here is the NAT rule I have defined:

[edit security nat source rule-set NAT-Trust-to-Internet]
root@NP-vSRX-01# show rule NAT-Source-VLAN200
match {
    source-address 10.0.200.0/24;
}
then {
    source-nat {
        interface;
    }
}

I could have also defined to match on 0.0.0.0/0 as the destination address, but that would just have been one more line of code.

Verifiying the translations:

root@NP-vSRX-01> show security flow session source-prefix 10.0.200.0/24
Session ID: 17713, Policy name: FW-PermitWeb/4, Timeout: 2, Valid
  In: 10.0.200.10/49751 --> 8.8.8.8/53;udp, If: ge-0/0/2.0, Pkts: 1, Bytes: 55
  Out: 8.8.8.8/53 --> 1.1.1.1/29242;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 71

Session ID: 17714, Policy name: FW-PermitWeb/4, Timeout: 2, Valid
  In: 10.0.200.10/49751 --> 8.8.4.4/53;udp, If: ge-0/0/2.0, Pkts: 1, Bytes: 55
  Out: 8.8.4.4/53 --> 1.1.1.1/13555;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 71
Total sessions: 2

We see an internal traffic flow from 10.0.200.10 going to 8.8.8.8 and 8.8.4.4 (IN). The return traffic (OUT) is being sent to a translated port on 1.1.1.1, the interface IP.
This means that the NAT is working as required.

For a brief summary of the NAT configuration, enter the following:

root@NP-vSRX-01> show security nat source summary
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 33554432
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
NAT-Source-VLAN200 NAT-Trust-to-Internet trust      untrust              interface

And to view even more detail and some statistics about the rule:

root@NP-vSRX-01> show security nat source rule NAT-Source-VLAN200

source NAT rule: NAT-Source-VLAN200   Rule-set: NAT-Trust-to-Internet
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.0.200.0      - 10.0.200.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 604
    Successful sessions      : 604
    Failed sessions          : 0
  Number of sessions         : 0

One thought on “JNCIS-SEC Lab – Interface NAT on the SRX”

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.