Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Source NAT for Multiple Addresses with PAT

    This example describes how to configure a source NAT mapping of a private address block to a smaller public address block using port address translation.

    Requirements

    Before you begin:

    1. Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices PDF Document.
    2. Create security zones and assign interfaces to them. See Understanding Security Zones.

    Overview

    This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 1, the source IP address in packets sent from the trust zone to the untrust zone is mapped to a smaller block of public addresses in the range from 1.1.1.1/32 through 1.1.1.24/32. Because the size of the source NAT address pool is smaller than the number of potential addresses that might need to be translated, port address translation is used.

    Note: Port address translation includes a source port number with the source IP address mapping. This allows multiple addresses on a private network to map to a smaller number of public IP addresses. Port address translation is enabled by default for source NAT pools.

    Figure 1: Source NAT Multiple Addresses with PAT

    Source NAT Multiple Addresses with PAT

    This example describes the following configurations:

    • Source NAT pool src-nat-pool-1 that contains the IP address range 1.1.1.1/32 through 1.1.1.24/32.
    • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.
    • Proxy ARP for the addresses 1.1.1.1/32 through 1.1.1.24/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.
    • Security policies to permit traffic from the trust zone to the untrust zone.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security nat source pool src-nat-pool-1 address 1.1.1.1/32 to 1.1.1.24/32 set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule r1 match source-address 10.1.1.0/24set security nat source rule-set rs1 rule r1 match source-address 10.1.2.0/24set security nat source rule-set rs1 rule r1 match source-address 192.168.1.0/24set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.1/32 to 1.1.1.24/32 set security policies from-zone trust to-zone untrust policy internet-access match source-address any set security policies from-zone trust to-zone untrust policy internet-access match destination-address any set security policies from-zone trust to-zone untrust policy internet-access match application any set security policies from-zone trust to-zone untrust policy internet-access then permit

    Step-by-Step Procedure

    The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    To configure a source NAT mapping from a private address block to a smaller public address block using PAT:

    1. Create a source NAT pool.
      [edit security nat source]user@host# set pool src-nat-pool-1 address 1.1.1.1 to 1.1.1.24
    2. Create a source NAT rule set.
      [edit security nat source]user@host# set rule-set rs1 from zone trustuser@host# set rule-set rs1 to zone untrust
    3. Configure a rule that matches packets and translates the source address to an address in the pool.
      [edit security nat source]user@host# set rule-set rs1 rule r1 match source-address [10.1.1.0/24 10.1.2.0/24 192.168.1.0/24]user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    4. Configure proxy ARP.
      [edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.1 to 1.1.1.24
    5. Configure a security policy that allows traffic from the trust zone to the untrust zone.
      [edit security policies from-zone trust to-zone untrust]user@host# set policy internet-access match source-address any destination-address any application anyuser@host# set policy internet-access then permit

    Results

    From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security natsource {pool src-nat-pool-1 {address {1.1.1.1/32 to 1.1.1.24/32;}}rule-set rs1 {from zone trust;to zone untrust;rule r1 {match {source-address [10.1.1.0/24 10.1.2.0/24 192.168.1.0/24];destination-address 0.0.0.0/0;}then {source-nat {pool {src-nat-pool-1;}}}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.1/32 to 1.1.1.24/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy internet-access {match {source-address any;destination-address any;application any;}then {permit;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying Source NAT Pool Usage

    Purpose

    Verify that there is traffic using IP addresses from the source NAT pool.

    Action

    From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

    Verifying Source NAT Rule Usage

    Purpose

    Verify that there is traffic matching the source NAT rule.

    Action

    From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

    Verifying NAT Application to Traffic

    Purpose

    Verify that NAT is being applied to the specified traffic.

    Action

    From operational mode, enter the show security flow session command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page