Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Static NAT for Subnet Translation

    This example describes how to configure a static NAT mapping of a private subnet address to a public subnet address.

    Note: Address blocks for static NAT mapping must be of the same size.

    Requirements

    Before you begin:

    1. Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices PDF Document.
    2. Create security zones and assign interfaces to them. See Understanding Security Zones.

    Overview

    This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 1, devices in the untrust zone access devices in the trust zone by way of public subnet address 1.1.1.0/24. For packets that enter the Juniper Networks security device from the untrust zone with a destination IP address in the 1.1.1.0/24 subnet, the destination IP address is translated to a private address on the 192.168.1.0/24 subnet. For new sessions originating from the 192.168.1.0/24 subnet, the source IP address in outgoing packets is translated to an address on the public 1.1.1.0/24 subnet.

    Figure 1: Static NAT Subnet Translation

    Static NAT Subnet Translation

    This example describes the following configurations:

    • Static NAT rule set rs1 with rule r1 to match packets received on interface ge-0/0/0.0 with a destination IP address in the 1.1.1.0/24 subnet. For matching packets, the destination address is translated to an address on the 192.168.1.0/24 subnet.
    • Proxy ARP for the address ranges 1.1.1.1/32 through 1.1.1.249/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses. The address 1.1.1.250/32 is assigned to the interface itself, so this address is not included in the proxy ARP configuration.
    • Security policies to permit traffic to and from the 192.168.1.0/24 subnet.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security nat static rule-set rs1 from interface ge-0/0/0.0 set security nat static rule-set rs1 rule r1 match destination-address 1.1.1.0/24 set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.0/24 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.1/32 to 1.1.1.249/32set security address-book global address server-group 192.168.1.0/24 set security policies from-zone trust to-zone untrust policy permit-all match source-address server-group set security policies from-zone trust to-zone untrust policy permit-all match destination-address any set security policies from-zone trust to-zone untrust policy permit-all match application any set security policies from-zone trust to-zone untrust policy permit-all then permit set security policies from-zone untrust to-zone trust policy server-access match source-address any set security policies from-zone untrust to-zone trust policy server-access match destination-address server-group set security policies from-zone untrust to-zone trust policy server-access match application any set security policies from-zone untrust to-zone trust policy server-access then permit

    Step-by-Step Procedure

    The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    To configure a static NAT mapping from a private subnet address to a public subnet address:

    1. Create a static NAT rule set.
      [edit security nat static]user@host# set rule-set rs1 from interface ge-0/0/0.0
    2. Configure a rule that matches packets and translates the destination address in the packets to an address in a private subnet.
      [edit security nat static]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.0/24user@host# set rule-set rs1 rule r1 then static-nat prefix 192.168.1.0/24
    3. Configure proxy ARP.
      [edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.1/32 to 1.1.1.249/32
    4. Configure an address in the global address book.
      [edit security address-book global]user@host# set address server-group 192.168.1.0/24
    5. Configure a security policy that allows traffic from the untrust zone to the subnet in the trust zone.
      [edit security policies from-zone untrust to-zone trust]user@host# set policy server-access match source-address any destination-address server-group application anyuser@host# set policy server-access then permit
    6. Configure a security policy that allows all traffic from the subnet in the trust zone to the untrust zone.
      [edit security policies from-zone trust to-zone untrust]user@host# set policy permit-all match source-address server-group destination-address any application anyuser@host# set policy permit-all then permit

    Results

    From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security natstatic {rule-set rs1 {from interface ge-0/0/0.0;rule r1 {match {destination-address 1.1.1.0/24;}then {static-nat prefix 192.168.1.0/24;}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.1/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy permit-all {match {source-address server-group;destination-address any;application any;}then {permit;}}}from-zone untrust to-zone trust {policy server-access {match {source-address any;destination-address server-group;application any;}then {permit;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying Static NAT Configuration

    Purpose

    Verify that there is traffic matching the static NAT rule set.

    Action

    From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

    Verifying NAT Application to Traffic

    Purpose

    Verify that NAT is being applied to the specified traffic.

    Action

    From operational mode, enter the show security flow session command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page