Example: Configuring Static NAT for Single Address Translation

This example describes how to configure a static NAT mapping of a single private address to a public address.

Requirements

Before you begin:

Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 109, devices in the untrust zone access a server in the trust zone by way of public address 1.1.1.200/32. For packets that enter the Juniper Networks security device from the untrust zone with the destination IP address 1.1.1.200/32, the destination IP address is translated to the private address 192.168.1.200/32. For a new session originating from the server, the source IP address in the outgoing packet is translated to the public address 1.1.1.200/32.

Figure 109: Static NAT Single Address Translation

Image g030663.gif

This example describes the following configurations:

Static NAT rule set rs1 with rule r1 to match packets from the untrust zone with the destination address 1.1.1.200/32. For matching packets, the destination IP address is translated to the private address 192.168.1.200/32.
Proxy ARP for the address 1.1.1.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.
Security policies to permit traffic to and from the 192.168.1.200 server.

Configuration

CLI Quick Configuration

To quickly configure a static NAT mapping from a private address to a public address, copy the following commands and paste them into the CLI.

[edit]set security nat static rule-set rs1 from zone untrust set security nat static rule-set rs1 rule r1 match destination-address 1.1.1.200/32 set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32 set security zones security-zone trust address-book address server-1 192.168.1.200/32 set security policies from-zone trust to-zone untrust policy permit-all match source-address server-1 set security policies from-zone trust to-zone untrust policy permit-all match destination-address any set security policies from-zone trust to-zone untrust policy permit-all match application any set security policies from-zone trust to-zone untrust policy permit-all then permit set security policies from-zone untrust to-zone trust policy server-access match source-address any set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1 set security policies from-zone untrust to-zone trust policy server-access match application anyset security policies from-zone untrust to-zone trust policy server-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static NAT mapping from a private address to a public address:

Create a static NAT rule set.
[edit security nat static]user@host# set rule-set rs1 from zone untrust
Configure a rule that matches packets and translates the destination address in the packets to a private address.
[edit security nat static]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.200/32user@host# set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
Configure proxy ARP.
[edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.200
Configure an address book entry in the trust zone for the server’s IP address.
[edit security]user@host# set zones security-zone trust address-book address server-1 192.168.1.200/32
Configure a security policy that allows traffic from the untrust zone to the server in the trust zone.
[edit security policies from-zone untrust to-zone trust]user@host# set policy server-access match source-address any destination-address server-1 application anyuser@host# set policy server-access then permit
Configure a security policy that allows all traffic from the server in the trust zone to the untrust zone.
[edit security policies from-zone trust to-zone untrust]user@host# set policy permit-all match source-address server-1 destination-address any application anyuser@host# set policy permit-all then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natstatic {rule-set rs1 {from zone untrust;rule r1 {match {destination-address 1.1.1.200/32;}then {static-nat prefix 192.168.1.200/32;}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.200/32;}}}user@host# show security policiesfrom-zone trust to-zone untrust {policy permit-all {match {source-address server-1;destination-address any;application any;}then {permit;}}}from-zone untrust to-zone trust {policy server-access {match {source-address any;destination-address server-1;application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static NAT Configuration

Purpose

Verify that there is traffic matching the static NAT rule set.

Action

From operational mode, enter the show security nat static rule command. View the Translation hits field to check for traffic that matches the rule.

Example: Configuring Static NAT for Single Address Translation

Requirements

Overview

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Static NAT Configuration

Purpose

Action

Verifying NAT Application to Traffic

Purpose

Action

Related Topics