Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Network Address Translation

    Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. Either or both source and destination addresses in a packet can be translated. NAT can include the translation of port numbers as well as IP addresses. In this solution, we are using Source and Destination NAT.

    Configure Source NAT

    Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network. Here, we have defined translation of the original source IP address to an IP address from a user-defined address pool with Port Address Translation. The association between the original source IP address to the translated source IP address is dynamic. The configuration uses a source network (172.16.0.0/16) which is translated to the public pool address range (10.94.127.1 to 10.94.127.10). Proxy ARP is a required element of the solution for the address range 10.94.127.1/32 to 10.94.127.11/32 on interface reth1.0. Proxy ARP allows the Juniper Networks security device to respond to ARP requests received on the interface for the translated addresses (rather than only responding to ARP requests destined for the IP address of the firewall’s logical interfaces).

    Source NAT configuration is outlined in the following configuration example.

    To configure source NAT on the SRX chassis cluster, follow these steps:

    1. Configure the source NAT pool.
      [edit]set security nat source pool public-pool address 10.94.127.1/32 to 10.94.127.10/32
    2. Configure the source NAT rule set.
      [edit]set security nat source rule-set Internet-access from zone trustset security nat source rule-set Internet-access to zone untrustset security nat source rule-set Internet-access rule datacenter match source-address 172.16.0.0/16set security nat source rule-set Internet-access rule datacenter match destination-address 0.0.0.0/0set security nat source rule-set Internet-access rule datacenter then source-nat pool public-pool
    3. Configure proxy ARP on the outbound NAT interface (reth1, or untrust, in this example).
      [edit]set security nat proxy-arp interface reth1.0 address 10.94.127.1/32 to 10.94.127.10/32

    Configure Destination NAT

    Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address). Destination NAT allows connections to be initiated only for incoming network connections—for example, from the Internet to a private network. The following configuration parameters were used in the below example:

    1. Destination NAT pool dst-nat-SA-pool1 contains the IP address 10.94.63.24/32. This device is a Juniper Networks SA Series SSL VPN Appliance (Remote Access Server). This device can also be provisioned as a virtual appliance.
    2. Destination NAT rule set SA with rule SA-rule1 to match packets received to destination IP address 10.94.127.33/32. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.
    3. Proxy ARP for the address 10.94.127.33/32 on interface reth1.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.
    4. Security policies to permit traffic from the untrust zone to the translated destination IP address in the trust zone.

    Note: When destination NAT is performed, the destination IP address is translated according to configured destination NAT rules and then security policies are applied.

    To configure destination NAT on the SRX chassis cluster, follow these steps:

    1. Configure the destination NAT pool.
      [edit]set security nat destination pool dst-nat-SA-pool1 address 10.94.63.24/32
    2. Configure the destination NAT rule set.
      [edit]set security nat destination rule-set SA from zone untrustset security nat destination rule-set SA rule SA-rule1 match destination-address 10.94.127.33/32set security nat destination rule-set SA rule SA-rule1 then destination-nat pool dst-nat-SA-pool1
    3. Configure the proxy ARP on the inbound NAT interface.
      [edit] set security nat proxy-arp interface reth1.0 address 10.94.127.33/32

    Published: 2015-04-20