Example: Configuring Static NAT for Single Address Translation

Requirements

1. Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices .
2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 1, devices in the untrust zone access a server in the trust zone by way of public address 1.1.1.200/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP address 1.1.1.200/32, the destination IP address is translated to the private address 192.168.1.200/32. For a new session originating from the server, the source IP address in the outgoing packet is translated to the public address 1.1.1.200/32.

Figure 1: Static NAT Single Address Translation

• Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 1.1.1.200/32. For matching packets, the destination IP address is translated to the private address 192.168.1.200/32.
• Proxy ARP for the address 1.1.1.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.
• Security policies to permit traffic to and from the 192.168.1.200 server.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Create a static NAT rule set.
   [edit security nat static]user@host# set rule-set rs1 from zone untrust
2. Configure a rule that matches packets and translates the destination address in the packets to a private address.
   [edit security nat static]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.200/32user@host# set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
3. Configure proxy ARP.
   [edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.200
4. Configure an address in the global address book.
   [edit security address-book global]user@host# set address server-1 192.168.1.200/32
5. Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.
   [edit security policies from-zone untrust to-zone trust]user@host# set policy server-access match source-address any destination-address server-1 application anyuser@host# set policy server-access then permit
6. Configure a security policy that allows all traffic from the server in the trust zone to the untrust zone.
   [edit security policies from-zone trust to-zone untrust]user@host# set policy permit-all match source-address server-1 destination-address any application anyuser@host# set policy permit-all then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying Static NAT Configuration
• Verifying NAT Application to Traffic

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.