Example: Configuring Destination NAT for IP Address and Port Translation

This example describes how to configure destination NAT mappings of a public address to private addresses, depending on the port number.

Requirements

Before you begin:

Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 112, devices in the untrust zone access servers in the trust zone by way of public address 1.1.1.200 on port 80 or 8000. Packets entering the Juniper Networks security device from the untrust zone are mapped to the private addresses of the servers as follows:

The destination IP address 1.1.1.200 and port 80 is translated to the private address 192.168.1.200 and port 80.
The destination IP address 1.1.1.200 and port 8000 is translated to the private address 192.168.1.220 and port 8000.

Figure 112: Destination NAT Address and Port Translation

Image g030666.gif

This example describes the following configurations:

Destination NAT pool dst-nat-pool-1 that contains the IP address 192.168.1.200 port 80.
Destination NAT pool dst-nat-pool-2 that contains the IP address 192.168.1.220 and port 8000.
Destination NAT rule set rs1 with rule r1 to match packets received from the untrust zone with the destination IP address 1.1.1.200 and destination port 80. For matching packets, the destination address is translated to the address in the dst-nat-pool-1 pool.
Destination NAT rule set rs1 with rule r2 to match packets received from the untrust zone with the destination IP address 1.1.1.200 and destination port 8000. For matching packets, the destination IP address and port are translated to the address and port in the dst-nat-pool-2 pool.
Proxy ARP for the address 1.1.1.200/32. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.
Security policies to permit traffic from the untrust zone to the translated destination IP addresses in the trust zone.

Configuration

CLI Quick Configuration

To quickly configure a destination NAT mapping from a public address to a private address, copy the following commands and paste them into the CLI.

[edit]set security nat destination pool dst-nat-pool-1 address 192.168.1.200/32 set security nat destination pool dst-nat-pool-1 address port 80 set security nat destination pool dst-nat-pool-2 address 192.168.1.220/32 set security nat destination pool dst-nat-pool-2 address port 8000 set security nat destination rule-set rs1 from zone untrust set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.200/32 set security nat destination rule-set rs1 rule r1 match destination-port 80 set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 set security nat destination rule-set rs1 rule r2 match destination-address 1.1.1.200/32 set security nat destination rule-set rs1 rule r2 match destination-port 8000 set security nat destination rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32 set security zones security-zone trust address-book address server-2 192.168.1.220/32 set security zones security-zone tru address-book address server-1 192.168.1.200/32 set security policies from-zone untrust to-zone trust policy server-access match source-address any set security policies from-zone untrust to-zone trust policy server-access match destination-address server-1 set security policies from-zone untrust to-zone trust policy server-access match destination-address server-2 set security policies from-zone untrust to-zone trust policy server-access match application any set security policies from-zone untrust to-zone trust policy server-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a destination NAT mapping from a public address to a private address:

Create destination NAT pools.
[edit security nat destination]user@host# set pool dst-nat-pool-1 address 192.168.1.200 port 80user@host# set pool dst-nat-pool-2 address 192.168.1.220 port 8000
Create a destination NAT rule set.
[edit security nat destination]user@host# set rule-set rs1 from zone untrust
Configure a rule that matches packets and translates the destination address to the address in the pool.
[edit security nat destination]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.200user@host# set rule-set rs1 rule r1 match destination-port 80user@host# set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
Configure a rule that matches packets and translates the destination address to the address in the pool.
[edit security nat destination]user@host# set rule-set rs1 rule r2 match destination-address 1.1.1.200user@host# set rule-set rs1 rule r2 match destination-port 8000user@host# set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2
Configure proxy ARP.
[edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.200/32
Configure address book entries in the trust zone for the server addresses.
[edit security]user@host# set zones security-zone trust address-book address server-1 192.168.1.200/32user@host# set zones security-zone trust address-book address server-2 192.168.1.220/32
Configure a security policy that allows traffic from the untrust zone to the servers in the trust zone.
[edit security policies from-zone untrust to-zone trust]user@host# set policy server-access match source-address any destination-address [server-1 server-2] application anyuser@host# set policy server-access then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natdestination {pool dst-nat-pool-1 {address 192.168.1.200/32 port 80;}pool dst-nat-pool-2 {address 192.168.1.220/32 port 8000;}rule-set rs1 {from zone untrust;rule r1 {match {destination-address 1.1.1.200/32;destination-port 80;}then {destination-nat pool dst-nat-pool-1;}}rule r2 {match {destination-address 1.1.1.200/32;destination-port 8000;}then {destination-nat pool dst-nat-pool-2;}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.200/32;}}}user@host# show security policiesfrom-zone untrust to-zone trust {policy server-access {match {source-address any;destination-address [ server-1 server-2 ];application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Example: Configuring Destination NAT for IP Address and Port Translation

Requirements

Overview

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Destination NAT Pool Usage

Purpose

Action

Verifying Destination NAT Rule Usage

Purpose

Action

Verifying NAT Application to Traffic

Purpose

Action

Related Topics