JunOS Configuration Snippets – NAT

Following on to my previous JunOS config snippet post, here’s another one showing example configurations for a few different NAT scenarios.

Traditional NAT Overload (Source NAT for Outgoing Connections)

This is a traditional overloaded NAT that’s commonly used to NAT outgoing connections from an internal network with private addresses to the Internet where you have a limited number of public IP addresses.

security {
   nat {
      # Source NAT used for overloaded NAT
      source {
         # Source NAT pool used if you are not source NAT'ing to an IP address directly configured on your egress / Internet facing interface
         pool SNAT-ADDRESSES {
            address {
               192.168.32.15/32 to 192.168.32.20/32;
            }
         }
         rule-set INTERNAL_TO_INTERNET {
            from zone INTERNAL;
            to zone INTERNET
            rule TEST {
               match {
                  # Match any outgoing connections from 192.168.35.0/24
                  source-address 192.168.35.0/24;
               }
               then {
                  source-nat {
                     # Source NAT them to the SRX's IP on the egress interface
                     interface;
                     # Alternatively, instead of source NAT'ing to a local IP on the router you could Source NAT to a NAT pool
                     #  This would be used where your ISP is routing a block of IP's to the IP configured on our outside facing interface
                     pool SNAT-ADDRESSES
                  }
               }
            }
         }
      }
   }
}

There are some cases where you might want to configure a specific external IP for outgoing connections from one specific host (perhaps a mail server).  It’s pretty easy to configure that…just add the more specific rule for the one host above the general rule, matching on it’s address as the source address for the connection, and configure the IP it should be source NAT’ed to.

If you’re NAT’ing to an IP address that’s not directly configured on your outside facing interface, and this IP is in the same subnet as your directly configured IP, you’ll need to explicitely configure proxy-arp for this address. This is needed so the Juniper device will know to reply to ARP requests for that address (even though that IP is not directly configured on the interface). If the IP is on a different subnet from the IP on the interface, then your ISP is routing traffic for those addresses to you. So, their router won’t do an ARP request for the NAT IP, it will know to set the destination MAC address on the Ethernet frame to the MAC that corresponds to the IP address on your physical interface. Here’s a sample proxy-arp configuration:

security {
   nat {
         proxy-arp {
            interface ge-0/0/0.100 {
               address {
                  192.168.32.10/32;
               }
            }
         }
      }
   }
}

Destination NAT for Incoming Connections

security {
   nat {
      destination {
         # Destination NAT pool for each internal service endpoint
         pool RDP-ADDRESS {
            address 192.168.35.200/32 port 3389;
         }
         rule-set INTERNET_TO_INTERNAL {
            from zone INTERNET;
            rule RDP {
               match {
                  # Connections to 192.168.32.10:3389 on my Internet interface translated to 192.168.35.200 : 3389 on the Inside
                  destination-address 192.168.32.10/32;
                  destination-port 3389;
               }
               then {
                  destination-nat pool RDP-ADDRESS;
               }
            }
         }
      }
   }
}

Like I mentioned under source NAT, proxy-arp would need to be configured in this case if 192.168.32.10 was not the IP directly configured on my outside facing interface (assuming my service provider is not statically routing those addresses to the external address on my Juniper).

Static / Bidirectional NAT

Static NAT’s will translate both incoming and outgoing connections for a particular set of IP addresses. 

nat {
    static {
        rule-set INTERNET_STATIC {
            from zone INTERNET;
            rule desktop1 {
                match {
		    # "Outside" IP for host
                    destination-address 192.168.32.200/32;
                }
                then {
		    # "Inside" IP for host
                    static-nat prefix 192.168.35.200/32;
                }
            }
        }
    }

IPv6 Prefix Translation

I was excited to see that JunOS supported this.  IOS does not currently support this.  A lot of people proclaim that IPv6 will eliminate the need for NAT…but I think this is a really useful tool to have in my arsenal in some situations. 

For one – I don’t want to have to re-number my internal network if my external facing IP’s change.  This kind of prefix translation can be done statelessly (though the SRX keeps state for each connection anyway if it’s in flow mode) as well, so this really doesn’t share many of the ugly properties of NAT 44.

This is just configured as a normal static NAT.

static {
    rule-set INTERNAL_INTERNET {
        from zone INTERNET;
        rule ipv6natpt{
            match {
		# "External" IPv6 Prefix
                destination-address 2001:1234:5678::/48;
            }
            then {
		# "Internal" IPv6 Prefix
                static-nat prefix 2001:FEDC:BA98::/48;
            }
        }
    }
}

Comments are closed.