Example: Configuring Destination NAT for Subnet Translation

This example describes how to configure a destination NAT mapping of a public subnet address to a private subnet address.

Note: Mapping addresses from one subnet to another can also be accomplished with static NAT. Static NAT mapping allows connections to be established from either side of the gateway device, whereas destination NAT allows connections to be established from only one side. However, static NAT only allows translations between blocks of addresses of the same size.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See the Junos OS Interfaces Configuration Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 113, devices in the untrust zone access devices in the trust zone by way of public subnet address 1.1.1.0/16. For packets that enter the Juniper Networks security device from the untrust zone with a destination IP address in the 1.1.1.0/16 subnet, the destination IP address is translated to a private address on the 192.168.1.0/24 subnet.

Figure 113: Destination NAT Subnet Translation

Image g030667.gif

This example describes the following configurations:

Configuration

CLI Quick Configuration

To quickly configure a destination NAT mapping from a public subnet address to a private subnet address, copy the following commands and paste them into the CLI.

[edit]set security nat destination pool dst-nat-pool-1 address 192.168.1.0/24 set security nat destination rule-set rs1 from interface ge-0/0/0.0 set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.0/16 set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.1/32 to 1.1.1.62/32 set security zones security-zone trust address-book address internal-net 192.168.1.0/24 set security policies from-zone untrust to-zone trust policy internal-access match source-address any set security policies from-zone untrust to-zone trust policy internal-access match destination-address internal-net set security policies from-zone untrust to-zone trust policy internal-access match application any set security policies from-zone untrust to-zone trust policy internal-access then permit

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a destination NAT mapping from a public subnet address to a private subnet address:

  1. Create the destination NAT pool.
    [edit security nat destination]user@host# set pool dst-nat-pool-1 address 192.168.1.0/24
  2. Create a destination NAT rule set.
    [edit security nat destination]user@host# set rule-set rs1 from interface ge-0/0/0.0
  3. Configure a rule that matches packets and translates the destination address to an address in the pool.
    [edit security nat destination]user@host# set rule-set rs1 rule r1 match destination-address 1.1.1.0/16user@host# set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
  4. Configure proxy ARP.
    [edit security nat]user@host# set proxy-arp interface ge-0/0/0.0 address 1.1.1.1/32 to 1.1.1.62/32
  5. Configure an address book entry in the trust zone for the private subnet address.
    [edit security]user@host# set zones security-zone trust address-book address internal-net 192.168.1.0/24
  6. Configure a security policy that allows traffic from the untrust zone to the devices in the trust zone.
    [edit security policies from-zone untrust to-zone trust]user@host# set policy internal-access match source-address any destination-address internal-net application anyuser@host# set policy internal-access then permit

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security natdestination {pool dst-nat-pool-1 {address 192.168.1.0/24;}rule-set rs1 {from interface ge-0/0/0.0;rule r1 {match {destination-address 1.1.1.0/16;}then {destination-nat pool dst-nat-pool-1;}}}}proxy-arp {interface ge-0/0/0.0 {address {1.1.1.1/32 to 1.1.1.62/32;}}}user@host# show security policiesfrom-zone untrust to-zone trust {policy internal-access {match {source-address any;destination-address internal-net;application any;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.